ID

VAR-202102-0309


CVE

CVE-2020-27222


TITLE

Eclipse Californium  Vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2020-015866

DESCRIPTION

In Eclipse Californium version 2.3.0 to 2.6.0, the certificate based (x509 and RPK) DTLS handshakes accidentally fails, because the DTLS server side sticks to a wrong internal state. That wrong internal state is set by a previous certificate based DTLS handshake failure with TLS parameter mismatch. The DTLS server side must be restarted to recover this. This allow clients to force a DoS. Eclipse Californium Contains an unspecified vulnerability.Denial of service (DoS) It may be put into a state. Eclipse Californium is a Java-based code library of the Eclipse Foundation that provides Coap back-end support for the Internet of Things. No detailed vulnerability details are currently provided. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat Integration Camel-K 1.4 release and security update Advisory ID: RHSA-2021:3205-01 Product: Red Hat Integration Advisory URL: https://access.redhat.com/errata/RHSA-2021:3205 Issue date: 2021-08-18 Cross references: RHBA-2021:79512-01 CVE Names: CVE-2020-13920 CVE-2020-17518 CVE-2020-17521 CVE-2020-26238 CVE-2020-27222 CVE-2020-27782 CVE-2020-28052 CVE-2020-29582 CVE-2021-20218 CVE-2021-27807 CVE-2021-27906 CVE-2021-30468 CVE-2021-31811 ===================================================================== 1. Summary: A minor version update (from 1.3 to 1.4) is now available for Red Hat Integration Camel K that includes bug fixes and enhancements. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: A minor version update (from 1.3 to 1.4) is now available for Red Hat Camel K that includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es): * cron-utils: template injection allows attackers to inject arbitrary Java EL expressions leading to remote code execution (CVE-2020-26238) * californium-core: DTLS - DoS vulnerability for certificate based handshakes (CVE-2020-27222) * undertow: special character in query results in server errors (CVE-2020-27782) * bouncycastle: password bypass in OpenBSDBCrypt.checkPassword utility possible (CVE-2020-28052) * activemq: improper authentication allows MITM attack (CVE-2020-13920) * flink: apache-flink: directory traversal attack allows remote file writing through the REST API (CVE-2020-17518) * groovy: OS temporary directory leads to information disclosure (CVE-2020-17521) * kubernetes-client: fabric8-kubernetes-client: vulnerable to a path traversal leading to integrity and availability compromise (CVE-2021-20218) * pdfbox: infinite loop while loading a crafted PDF file (CVE-2021-27807) * cxf-rt-rs-json-basic: CXF: Denial of service vulnerability in parsing JSON via JsonMapObjectReaderWriter (CVE-2021-30468) * kotlin-scripting-jvm: kotlin: vulnerable Java API was used for temporary file and folder creation which could result in information disclosure (CVE-2020-29582) * pdfbox: OutOfMemory-Exception while loading a crafted PDF file (CVE-2021-27906) * pdfbox: OutOfMemory-Exception while loading a crafted PDF file (CVE-2021-31811) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 4. Bugs fixed (https://bugzilla.redhat.com/): 1880101 - CVE-2020-13920 activemq: improper authentication allows MITM attack 1901304 - CVE-2020-27782 undertow: special character in query results in server errors 1901655 - CVE-2020-26238 cron-utils: template injection allows attackers to inject arbitrary Java EL expressions leading to remote code execution 1912881 - CVE-2020-28052 bouncycastle: password bypass in OpenBSDBCrypt.checkPassword utility possible 1913312 - CVE-2020-17518 apache-flink: directory traversal attack allows remote file writing through the REST API 1922123 - CVE-2020-17521 groovy: OS temporary directory leads to information disclosure 1923405 - CVE-2021-20218 fabric8-kubernetes-client: vulnerable to a path traversal leading to integrity and availability compromise 1930230 - CVE-2020-27222 californium-core: DTLS - DoS vulnerability for certificate based handshakes 1930291 - CVE-2020-29582 kotlin: vulnerable Java API was used for temporary file and folder creation which could result in information disclosure 1941050 - CVE-2021-27906 pdfbox: OutOfMemory-Exception while loading a crafted PDF file 1941055 - CVE-2021-27807 pdfbox: infinite loop while loading a crafted PDF file 1971648 - CVE-2021-31811 pdfbox: OutOfMemory-Exception while loading a crafted PDF file 1973392 - CVE-2021-30468 CXF: Denial of service vulnerability in parsing JSON via JsonMapObjectReaderWriter 5. References: https://access.redhat.com/security/cve/CVE-2020-13920 https://access.redhat.com/security/cve/CVE-2020-17518 https://access.redhat.com/security/cve/CVE-2020-17521 https://access.redhat.com/security/cve/CVE-2020-26238 https://access.redhat.com/security/cve/CVE-2020-27222 https://access.redhat.com/security/cve/CVE-2020-27782 https://access.redhat.com/security/cve/CVE-2020-28052 https://access.redhat.com/security/cve/CVE-2020-29582 https://access.redhat.com/security/cve/CVE-2021-20218 https://access.redhat.com/security/cve/CVE-2021-27807 https://access.redhat.com/security/cve/CVE-2021-27906 https://access.redhat.com/security/cve/CVE-2021-30468 https://access.redhat.com/security/cve/CVE-2021-31811 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_integration/2021.q3/html/getting_started_with_camel_k/ https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version=2021-Q3 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYRzPW9zjgjWX9erEAQiQhg//Wv8T0xe0RsVX2iYN5d3OYHtnEAFu2iyQ sLt4E+Ed6nR95DkWfqbC/YIpE2w9UXgZXYG31Roup+zGNYScSpkUliOyH8rPoH2R TKWcUOQ5FzhDtWvrpss3x7fZ9dCXw6d38FRPCLby9Z05I9fLGTjqRcZQr7W3jz9t xiTdEhGKED4cgnwpPkUIBiSOF5bAhDAhYmXw0e2wvm/1XhhAOcA85U0d0Ac9lLjS y07agVx5UZxEDd5rT7ATPlJwfprNQUJKb5Zg+RCOEs5vLMVRHajuW7rG0z+FfhdK ckz3nektLdOJDcaZj/MdjqB+MZtuXJ48WzBnmKRpCeS/FIOp9XrM0xjrYjCB1Eu6 ls03UI6sbg0zi+fw995mNNoKoq7ErEzKGN1ROh693P0fNGJkvxDopP3GEChTjsMZ PJTOyKQyRQ4B5OXmemsoBiwiggmCX3E0rvF1dNCfYA4kWRth/B4A3MaTvpcnm1kO rZKRbCLDQ2rCbtyKLSn/vROi6RYn/4wtz3IudJCZsZXWVAh48iGhLPxYwxabwbyi rgcslBGkdjdlC+RhKmlPnDyV+q0P+uPupoRCaMKBsIZwdfO9oUZ3Zq/FqfVsab/L 5rv8NunH7+HHXMEx6wBNfqLtQ0pvCmJu/lD719jibgIgK0zZ00tQ54Z25X38C0v6 tw7zI6hjLQY= =rVez -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce

Trust: 2.97

sources: NVD: CVE-2020-27222 // JVNDB: JVNDB-2020-015866 // CNVD: CNVD-2021-14163 // CNNVD: CNNVD-202102-313 // VULMON: CVE-2020-27222 // PACKETSTORM: 163874 // PACKETSTORM: 163872

IOT TAXONOMY

category:['IoT']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2021-14163

AFFECTED PRODUCTS

vendor:eclipsemodel:californiumscope:lteversion:2.6.0

Trust: 1.0

vendor:eclipsemodel:californiumscope:gteversion:2.3.0

Trust: 1.0

vendor:eclipsemodel:californiumscope:eqversion: -

Trust: 0.8

vendor:eclipsemodel:californiumscope:eqversion:2.3.0 to 2.6.0

Trust: 0.8

vendor:eclipsemodel:californiumscope:gteversion:2.3.0,<=2.6.0

Trust: 0.6

sources: CNVD: CNVD-2021-14163 // JVNDB: JVNDB-2020-015866 // NVD: CVE-2020-27222

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-27222
value: HIGH

Trust: 1.0

NVD: CVE-2020-27222
value: HIGH

Trust: 0.8

CNVD: CNVD-2021-14163
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-202102-313
value: HIGH

Trust: 0.6

nvd@nist.gov: CVE-2020-27222
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2021-14163
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2020-27222
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.1

Trust: 1.0

NVD: CVE-2020-27222
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2021-14163 // JVNDB: JVNDB-2020-015866 // CNNVD: CNNVD-202102-313 // NVD: CVE-2020-27222

PROBLEMTYPE DATA

problemtype:CWE-372

Trust: 1.0

problemtype:NVD-CWE-Other

Trust: 1.0

problemtype:Other (CWE-Other) [NVD Evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2020-015866 // NVD: CVE-2020-27222

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202102-313

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202102-313

PATCH

title:Bug 570844url:https://bugs.eclipse.org/bugs/show_bug.cgi?id=570844

Trust: 0.8

title:Patch for Eclipse Californium Denial of Service Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/250496

Trust: 0.6

title:Eclipse Californium Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=141712

Trust: 0.6

sources: CNVD: CNVD-2021-14163 // JVNDB: JVNDB-2020-015866 // CNNVD: CNNVD-202102-313

EXTERNAL IDS

db:NVDid:CVE-2020-27222

Trust: 3.3

db:JVNDBid:JVNDB-2020-015866

Trust: 0.8

db:PACKETSTORMid:163872

Trust: 0.7

db:CNVDid:CNVD-2021-14163

Trust: 0.6

db:AUSCERTid:ESB-2021.2816

Trust: 0.6

db:CNNVDid:CNNVD-202102-313

Trust: 0.6

db:VULMONid:CVE-2020-27222

Trust: 0.1

db:PACKETSTORMid:163874

Trust: 0.1

sources: CNVD: CNVD-2021-14163 // VULMON: CVE-2020-27222 // JVNDB: JVNDB-2020-015866 // PACKETSTORM: 163874 // PACKETSTORM: 163872 // CNNVD: CNNVD-202102-313 // NVD: CVE-2020-27222

REFERENCES

url:https://nvd.nist.gov/vuln/detail/cve-2020-27222

Trust: 2.2

url:https://bugs.eclipse.org/bugs/show_bug.cgi?id=570844

Trust: 1.7

url:https://packetstormsecurity.com/files/163872/red-hat-security-advisory-2021-3205-01.html

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2021.2816

Trust: 0.6

url:https://access.redhat.com/security/cve/cve-2020-13920

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2021-20218

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2020-29582

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2021-20218

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2020-27222

Trust: 0.2

url:https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?downloadtype=distributions&product=red.hat.integration&version=2021-q3

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2020-17521

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2020-17521

Trust: 0.2

url:https://listman.redhat.com/mailman/listinfo/rhsa-announce

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2020-17518

Trust: 0.2

url:https://access.redhat.com/articles/11258

Trust: 0.2

url:https://access.redhat.com/security/team/contact/

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2020-27782

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2020-13920

Trust: 0.2

url:https://bugzilla.redhat.com/):

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2020-29582

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2020-26238

Trust: 0.2

url:https://access.redhat.com/security/updates/classification/#moderate

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2020-27782

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2020-17518

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2020-26238

Trust: 0.2

url:https://nvd.nist.gov

Trust: 0.1

url:https://exchange.xforce.ibmcloud.com/vulnerabilities/196140

Trust: 0.1

url:https://access.redhat.com/errata/rhsa-2021:3207

Trust: 0.1

url:https://access.redhat.com/documentation/en-us/red_hat_integration/2021.q3/html-single/getting_started_with_camel_quarkus_extensions/

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-27906

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-30468

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-27906

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2020-28052

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-27807

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-30468

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-31811

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-27807

Trust: 0.1

url:https://access.redhat.com/documentation/en-us/red_hat_integration/2021.q3/html/getting_started_with_camel_k/

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-31811

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2020-28052

Trust: 0.1

url:https://access.redhat.com/errata/rhsa-2021:3205

Trust: 0.1

sources: CNVD: CNVD-2021-14163 // VULMON: CVE-2020-27222 // JVNDB: JVNDB-2020-015866 // PACKETSTORM: 163874 // PACKETSTORM: 163872 // CNNVD: CNNVD-202102-313 // NVD: CVE-2020-27222

CREDITS

Red Hat

Trust: 0.2

sources: PACKETSTORM: 163874 // PACKETSTORM: 163872

SOURCES

db:CNVDid:CNVD-2021-14163
db:VULMONid:CVE-2020-27222
db:JVNDBid:JVNDB-2020-015866
db:PACKETSTORMid:163874
db:PACKETSTORMid:163872
db:CNNVDid:CNNVD-202102-313
db:NVDid:CVE-2020-27222

LAST UPDATE DATE

2024-08-14T12:56:37.221000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2021-14163date:2021-03-03T00:00:00
db:VULMONid:CVE-2020-27222date:2021-02-09T00:00:00
db:JVNDBid:JVNDB-2020-015866date:2021-10-19T08:56:00
db:CNNVDid:CNNVD-202102-313date:2021-08-20T00:00:00
db:NVDid:CVE-2020-27222date:2021-02-09T15:21:45.077

SOURCES RELEASE DATE

db:CNVDid:CNVD-2021-14163date:2021-03-03T00:00:00
db:VULMONid:CVE-2020-27222date:2021-02-03T00:00:00
db:JVNDBid:JVNDB-2020-015866date:2021-10-19T00:00:00
db:PACKETSTORMid:163874date:2021-08-18T15:25:13
db:PACKETSTORMid:163872date:2021-08-18T15:23:11
db:CNNVDid:CNNVD-202102-313date:2021-02-03T00:00:00
db:NVDid:CVE-2020-27222date:2021-02-03T16:15:13.117