Incomplete Cleanup
CVE-2022-39368
Summary
Eclipse Californium is a Java implementation of RFC7252 - Constrained Application Protocol for IoT Cloud services. In versions prior to 2.7.4 and 3.x prior to 3.7.0, Californium is vulnerable to a Denial of Service. Failing handshakes don't cleanup counters for throttling, causing the threshold to be reached without being released again. This results in permanently dropping records. The issue was reported for certificate based handshakes, but may also affect PSK based handshakes. It generally affects client and server as well. This issue is patched in version 2.7.4 and 3.7.0. There are no known workarounds.
- LOW
- NETWORK
- LOW
- UNCHANGED
- NONE
- NONE
- NONE
- HIGH
CWE-459 - Incomplete Cleanup
The software does not properly "clean up" and remove temporary or supporting resources after they have been used.
Advisory Timeline
- Published