org.eclipse.californium:scandium@2.5.0 vulnerabilities

org.eclipse.californium:scandium is a library for exchanging data using DTLS over UDP.

Affected versions of this package are vulnerable to Denial of Service (DoS) in DTLS connection handling performed by DTLSConnector.java and ResumingServerHandshaker.java. An attacker can cause traffic to be sent to a forged address without properly verifying with a HelloVerifyRequest first, allowing resource consumption (ServerHello message amplification and CPU load) to a degree that can deny service to the affected system.

NOTE: Exploiting this vulnerability is only possible when DTLS_VERIFY_PEERS_ON_RESUMPTION_THRESHOLD is set to a value larger than 0.

Upgrade org.eclipse.californium:scandium to version 2.7.3, 3.6.0 or higher.

org.eclipse.californium:scandium is a library for exchanging data using DTLS over UDP.

Affected versions of this package are vulnerable to Signature Validation Bypass. If the signature is not included in ServerKeyExchange, then the certificate based (x509 and RPK) DTLS handshakes succeeds without verifying the server side's signature on the client side.

Upgrade org.eclipse.californium:scandium to version 2.6.5, 3.0.0-M4 or higher.

org.eclipse.californium:scandium is a library for exchanging data using DTLS over UDP.

Affected versions of this package are vulnerable to Denial of Service (DoS). The certificate based (x509 and RPK) DTLS handshakes accidentally fails, because it sticks to a wrong internal state. That wrong internal state is set by a previous certificate based DTLS handshakes failure with TLS parameter mismatch. The server must be restarted to recover this. This allow clients to force a DoS.

Upgrade org.eclipse.californium:scandium to version 2.6.1 or higher.