CVE Tools
Sign in

CVE-2022-39368

Californium Failing DTLS handshakes causes Data Loss due to throttling blocking processing of records

Published: Nov 9, 2022Updated: Nov 21, 2024 Sources: CVE List NVD GHSACWE-404
NVD MITRE
8.2CVSSHIGH
EPSS Score
0.6%
Top 58.3%
CISA KEV
Not in KEV
Exploits
No Known Exploits
Remediation
Patch Available

Description

Eclipse Californium is a Java implementation of RFC7252 - Constrained Application Protocol for IoT Cloud services. In versions prior to 3.7.0, and 2.7.4, Californium is vulnerable to a Denial of Service. Failing handshakes don't cleanup counters for throttling, causing the threshold to be reached without being released again. This results in permanently dropping records. The issue was reported for certificate based handshakes, but may also affect PSK based handshakes. It generally affects client and server as well. This issue is patched in version 3.7.0 and 2.7.4. There are no known workarounds. main: commit 726bac57659410da463dcf404b3e79a7312ac0b9 2.7.x: commit 5648a0c27c2c2667c98419254557a14bac2b1f3f

CVSS Vector Breakdown

AV:NAC:LPR:NUI:NS:UC:NI:LA:H
Exploitability
AV:NAttack Vector
Network
AC:LAttack Complexity
Low
PR:NPrivileges Required
None
UI:NUser Interaction
None
Scope
S:UScope
Unchanged
Impact
C:NConfidentiality
None
I:LIntegrity
Low
A:HAvailability
High
Open in CVSS calculator →

Weaknesses

CWE-404CWE-459

Affected Products

californiumeclipseDevTools & CI
californiumeclipse-californium
Library
OSS Libraries / generic-library
org.eclipse.californium:scandiumMavenOSS Libraries
eclipseoss-projectBEDevTools & CIaka eclipse-foundation
eclipse-californiumoss-projectUSOSS Libraries
mavenpackage-ecosystemOSS Libraries

Exploitability

Official Patch Available

References

https://github.com/eclipse-californium/californium/commit/5648a0c27c2c2667c98419254557a14bac2b1f3f
github.com
https://github.com/eclipse-californium/californium/commit/726bac57659410da463dcf404b3e79a7312ac0b9
github.com
https://github.com/eclipse-californium/californium/security/advisories/GHSA-p72g-cgh9-ghjg
github.com
and 4 more references View all →

Timeline

Published
Nov 9, 2022
Last Updated
Nov 21, 2024

Unlock Complete Vulnerability Intelligence

Get the full picture for CVE-2022-39368 and every CVE in our database. Create a free account — no credit card required.

Create Free Account
Plain-language analysis
Impact assessment and exploitation scenario in plain English
Attack graph visualization
Interactive attack path and kill chain mapping
Exploit details & PoC links
ExploitDB, Metasploit, GitHub PoCs with direct links
Nuclei scanner templates
Ready-to-use vulnerability scanner templates
Full remediation guide
Patch instructions, workarounds, and compliance impact
Interactive AI chat
Ask questions about this vulnerability in natural language
Related vulnerabilities
Semantically similar CVEs and attack patterns
REST API & MCP access
Integrate vulnerability data into your workflows