{"containers": {"cna": {"affected": [{"product": "Eclipse Californium", "vendor": "The Eclipse Foundation", "versions": [{"status": "affected", "version": "[2.3.0, 2.6.0]"}]}], "descriptions": [{"lang": "en", "value": "In Eclipse Californium version 2.3.0 to 2.6.0, the certificate based (x509 and RPK) DTLS handshakes accidentally fails, because the DTLS server side sticks to a wrong internal state. That wrong internal state is set by a previous certificate based DTLS handshake failure with TLS parameter mismatch. The DTLS server side must be restarted to recover this. This allow clients to force a DoS."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-372", "description": "CWE-372: Incomplete Internal State Distinction", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-02-03T16:36:38", "orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "shortName": "eclipse"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=570844"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@eclipse.org", "ID": "CVE-2020-27222", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Eclipse Californium", "version": {"version_data": [{"version_value": "[2.3.0, 2.6.0]"}]}}]}, "vendor_name": "The Eclipse Foundation"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In Eclipse Californium version 2.3.0 to 2.6.0, the certificate based (x509 and RPK) DTLS handshakes accidentally fails, because the DTLS server side sticks to a wrong internal state. That wrong internal state is set by a previous certificate based DTLS handshake failure with TLS parameter mismatch. The DTLS server side must be restarted to recover this. This allow clients to force a DoS."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-372: Incomplete Internal State Distinction"}]}]}, "references": {"reference_data": [{"name": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=570844", "refsource": "CONFIRM", "url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=570844"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T16:11:36.000Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=570844"}]}]}, "cveMetadata": {"assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "assignerShortName": "eclipse", "cveId": "CVE-2020-27222", "datePublished": "2021-02-03T15:45:13", "dateReserved": "2020-10-19T00:00:00", "dateUpdated": "2024-08-04T16:11:36.000Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:eclipse:californium:*:*:*:*:*:*:*:*", "matchCriteriaId": "56884583-F1FF-412F-B5E6-0AD0F904F260", "versionEndIncluding": "2.6.0", "versionStartIncluding": "2.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In Eclipse Californium version 2.3.0 to 2.6.0, the certificate based (x509 and RPK) DTLS handshakes accidentally fails, because the DTLS server side sticks to a wrong internal state. That wrong internal state is set by a previous certificate based DTLS handshake failure with TLS parameter mismatch. The DTLS server side must be restarted to recover this. This allow clients to force a DoS."}, {"lang": "es", "value": "En Eclipse Californium versiones 2.3.0 hasta 2.6.0, los protocolos de enlace DTLS basados ??en certificados (x509 y RPK) cometen un fallo accidentalmente, porque el lado del servidor DTLS se adhiere a un estado interno equivocado. Ese estado interno equivocado es ajustado por medio de un fallo de protocolo de enlace DTLS basada en un certificado anterior con una falta de coincidencia de los par\u00e1metros TLS. El lado del servidor DTLS debe reiniciarse para recuperar esto. Esto permite a clientes forzar una DoS"}], "id": "CVE-2020-27222", "lastModified": "2024-11-21T05:20:53.557", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-02-03T16:15:13.117", "references": [{"source": "emo@eclipse.org", "tags": ["Permissions Required", "Vendor Advisory"], "url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=570844"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Permissions Required", "Vendor Advisory"], "url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=570844"}], "sourceIdentifier": "emo@eclipse.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-372"}], "source": "emo@eclipse.org", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2021:3205", "cpe": "cpe:/a:redhat:integration:1", "impact": "moderate", "package": "californium-core", "product_name": "Red Hat Integration", "release_date": "2021-08-18T00:00:00Z"}, {"advisory": "RHSA-2021:3207", "cpe": "cpe:/a:redhat:camel_quarkus:2", "impact": "moderate", "package": "californium-core", "product_name": "Red Hat Integration Camel Quarkus 2", "release_date": "2021-08-18T00:00:00Z"}], "bugzilla": {"description": "californium-core: DTLS - DoS vulnerability for certificate based handshakes", "id": "1930230", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1930230"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-372", "details": ["In Eclipse Californium version 2.3.0 to 2.6.0, the certificate based (x509 and RPK) DTLS handshakes accidentally fails, because the DTLS server side sticks to a wrong internal state. That wrong internal state is set by a previous certificate based DTLS handshake failure with TLS parameter mismatch. The DTLS server side must be restarted to recover this. This allow clients to force a DoS.", "A flaw was found in californium. The certificate based (x509 and RPK) DTLS handshakes fails due to the DTLS server side being set to a wrong internal state by a previous certificate based DTLS handshake failure with TLS parameter mismatch. The highest threat from this vulnerability is to system availability."], "name": "CVE-2020-27222", "package_state": [{"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Affected", "impact": "moderate", "package_name": "californium-core", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_fuse:6", "fix_state": "Not affected", "package_name": "californium-core", "product_name": "Red Hat JBoss Fuse 6"}], "public_date": "2021-02-03T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-27222\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-27222"], "threat_severity": "Important"}