CVE-2022-2576

EPSS 0.5%CWE-408

Vexday Risk Score

3Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS —EPSS 0.5%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

29 Jul 2022Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

In Eclipse Californium version 2.0.0 to 2.7.2 and 3.0.0-3.5.0 a DTLS resumption handshake falls back to a DTLS full handshake on a parameter mismatch without using a HelloVerifyRequest. Especially, if used with certificate based cipher suites, that results in message amplification (DDoS other peers) and high CPU load (DoS own peer). The misbehavior occurs only with DTLS_VERIFY_PEERS_ON_RESUMPTION_THRESHOLD values larger than 0.

Affected products

The Eclipse Foundation · Eclipse Californium

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://bugs.eclipse.org/580018