CVE-2021-34433

Name of the Vulnerable Software and Affected Versions: Eclipse Californium versions 2.0.0 through 2.6.4 Eclipse Californium versions 3.0.0-M1 through 3.0.0-M3

Description: The certificate-based DTLS handshakes in Eclipse Californium may accidentally succeed without verifying the server side's signature on the client side if that signature is not included in the server's ServerKeyExchange. This issue affects x509 and RPK DTLS handshakes.

Recommendations: For versions 2.0.0 through 2.6.4, update to a version outside of this range to ensure the DTLS handshake properly verifies the server's signature. For versions 3.0.0-M1 through 3.0.0-M3, update to a version outside of this range to ensure the DTLS handshake properly verifies the server's signature. As a temporary workaround, consider restricting the use of certificate-based DTLS handshakes until a patch is available.