Details of VAR-202207-2077

ID

VAR-202207-2077

CVE

CVE-2022-2576

TITLE

Eclipse Foundation of Californium Vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2022-014167

DESCRIPTION

In Eclipse Californium version 2.0.0 to 2.7.2 and 3.0.0-3.5.0 a DTLS resumption handshake falls back to a DTLS full handshake on a parameter mismatch without using a HelloVerifyRequest. Especially, if used with certificate based cipher suites, that results in message amplification (DDoS other peers) and high CPU load (DoS own peer). The misbehavior occurs only with DTLS_VERIFY_PEERS_ON_RESUMPTION_THRESHOLD values larger than 0. Eclipse Foundation of Californium Exists in unspecified vulnerabilities.Service operation interruption (DoS) It may be in a state. Eclipse Californium is a Java-based code library that provides Coap backend support for the Internet of Things from the Eclipse Foundation. Eclipse Californium versions 2.0.0 to 2.7.2, and 3.0.0 to 3.5.0 have security vulnerabilities due to the vulnerability of the DTLS stack to denial of service attacks

Trust: 2.25

sources: NVD: CVE-2022-2576 // JVNDB: JVNDB-2022-014167 // CNNVD: CNNVD-202207-2765 // VULMON: CVE-2022-2576

AFFECTED PRODUCTS

vendor:	eclipse	model:	californium	scope:	lte	version:	2.7.2	Trust: 1.0
vendor:	eclipse	model:	californium	scope:	gte	version:	3.0.0	Trust: 1.0
vendor:	eclipse	model:	californium	scope:	lte	version:	3.5.0	Trust: 1.0
vendor:	eclipse	model:	californium	scope:	gte	version:	2.0.0	Trust: 1.0
vendor:	eclipse	model:	californium	scope:	-	version:	-	Trust: 0.8
vendor:	eclipse	model:	californium	scope:	eq	version:	2.0.0 to 2.7.2	Trust: 0.8
vendor:	eclipse	model:	californium	scope:	eq	version:	3.0.0 to 3.5.0	Trust: 0.8
vendor:	eclipse	model:	californium	scope:	eq	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2022-014167 // NVD: CVE-2022-2576

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2022-2576
value:	HIGH
Trust: 1.0
NVD:	CVE-2022-2576
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-202207-2765
value:	HIGH
Trust: 0.6

nvd@nist.gov:	CVE-2022-2576
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.1
Trust: 1.0
NVD:	CVE-2022-2576
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2022-014167 // CNNVD: CNNVD-202207-2765 // NVD: CVE-2022-2576

PROBLEMTYPE DATA

problemtype:	NVD-CWE-noinfo	Trust: 1.0
problemtype:	CWE-408	Trust: 1.0
problemtype:	Lack of information (CWE-noinfo) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2022-014167 // NVD: CVE-2022-2576

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202207-2765

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202207-2765

PATCH

title:

Eclipse Californium Security vulnerabilities

url:

http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=203351

Trust: 0.6

sources: CNNVD: CNNVD-202207-2765

EXTERNAL IDS

db:	NVD	id:	CVE-2022-2576	Trust: 3.3
db:	JVNDB	id:	JVNDB-2022-014167	Trust: 0.8
db:	CNNVD	id:	CNNVD-202207-2765	Trust: 0.6
db:	VULMON	id:	CVE-2022-2576	Trust: 0.1

sources: VULMON: CVE-2022-2576 // JVNDB: JVNDB-2022-014167 // CNNVD: CNNVD-202207-2765 // NVD: CVE-2022-2576

REFERENCES

url:	https://bugs.eclipse.org/580018	Trust: 2.5
url:	https://nvd.nist.gov/vuln/detail/cve-2022-2576	Trust: 0.8
url:	https://cxsecurity.com/cveshow/cve-2022-2576/	Trust: 0.6
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULMON: CVE-2022-2576 // JVNDB: JVNDB-2022-014167 // CNNVD: CNNVD-202207-2765 // NVD: CVE-2022-2576

SOURCES

db:	VULMON	id:	CVE-2022-2576
db:	JVNDB	id:	JVNDB-2022-014167
db:	CNNVD	id:	CNNVD-202207-2765
db:	NVD	id:	CVE-2022-2576

LAST UPDATE DATE

2024-08-14T14:49:41.440000+00:00

SOURCES UPDATE DATE

db:	VULMON	id:	CVE-2022-2576	date:	2022-07-29T00:00:00
db:	JVNDB	id:	JVNDB-2022-014167	date:	2023-09-14T08:14:00
db:	CNNVD	id:	CNNVD-202207-2765	date:	2022-08-10T00:00:00
db:	NVD	id:	CVE-2022-2576	date:	2022-08-05T16:13:48.700

SOURCES RELEASE DATE

db:	VULMON	id:	CVE-2022-2576	date:	2022-07-29T00:00:00
db:	JVNDB	id:	JVNDB-2022-014167	date:	2023-09-14T00:00:00
db:	CNNVD	id:	CNNVD-202207-2765	date:	2022-07-29T00:00:00
db:	NVD	id:	CVE-2022-2576	date:	2022-07-29T14:15:08.177