CVE-2022-25897

Name of the Vulnerable Software and Affected Versions org.eclipse.milo:sdk-server versions prior to 0.6.8

Description The issue allows for a Denial of Service (DoS) when bypassing the limitations for excessive memory consumption by sending multiple CloseSession requests with the deleteSubscription parameter equal to False. This can be achieved by creating many sessions with subscriptions and monitored items without ever deleting the monitored items, eventually consuming all available process memory and leading to a crash. The OPC UA specification describes a concept named Subscriptions, which monitor a set of Monitored Items for Notifications and return them to the Client in response to Publish requests.

Recommendations For versions prior to 0.6.8, update to version 0.6.8 or later to resolve the issue. As a temporary workaround, consider restricting the number of concurrent sessions, subscriptions per session, and monitored items per subscription to minimize the risk of exploitation. Additionally, avoid using the deleteSubscription parameter equal to False in CloseSession requests until the issue is resolved.