CVE-2022-39368

Name of the Vulnerable Software and Affected Versions Eclipse Californium versions prior to 3.7.0 Eclipse Californium versions prior to 2.7.4

Description Eclipse Californium, a Java implementation of RFC7252 - Constrained Application Protocol for IoT Cloud services, is vulnerable to a Denial of Service. Failing handshakes do not cleanup counters for throttling, causing the threshold to be reached without being released again, resulting in permanently dropping records. The issue affects both certificate-based and potentially PSK-based handshakes and impacts both client and server.

Recommendations For versions prior to 3.7.0, update to version 3.7.0. For versions prior to 2.7.4, update to version 2.7.4. As a temporary workaround, consider restricting the handshake process to prevent the threshold from being reached, until a patch is available.