In Eclipse Californium version 2.0.0 to 2.7.2 and 3.0.0-3.5.0 a DTLS resumption handshake falls back to a DTLS full handshake on a parameter mismatch without using a HelloVerifyRequest. Especially, if used with certificate based cipher suites, that results in message amplification (DDoS other peers) and high CPU load (DoS own peer). The misbehavior occurs only with DTLS_VERIFY_PEERS_ON_RESUMPTION_THRESHOLD values larger than 0.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HEclipse Californium
APPEclipse2.0.0 – 2.7.23.0.0 – 3.5.0
Related vulnerabilities
Eclipse Californium is a Java implementation of RFC7252 - Constrained Application Protocol for IoT Cloud servi...
In Eclipse Californium version 2.0.0 to 2.6.4 and 3.0.0-M1 to 3.0.0-M3, the certificate based (x509 and RPK) D...
In Eclipse Californium version 2.3.0 to 2.6.0, the certificate based (x509 and RPK) DTLS handshakes accidental...
An authenticated Remote Code Execution (RCE) vulnerability was identified in GlassFish's Administration Consol...
A critical Remote Code Execution (RCE) vulnerability was identified in the server-side template rendering mech...