Bug 2145205 (CVE-2022-39368)

Summary: CVE-2022-39368 scandium: Failing DTLS handshakes may cause throttling to block processing of records
Product: [Other] Security Response Reporter: Patrick Del Bello <pdelbell>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aileenc, balejosg, chazlett, fmongiar, gmalinko, janstey, jnethert, jpavlik, jpoth, jwon, pantinor, pdelbell, peholase, pjindal, tcunning, yfang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: scandium 3.7.0, scandium 2.7.4 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Eclipse Californium Scandium package. This issue occurs when failing handshakes don't clean up counters for throttling, causing the threshold to be reached without being released again, resulting in a denial of service. An attacker could submit a high quantity of server requests, leaving the server unable to respond.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-05-03 19:14:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2142077    

Description Patrick Del Bello 2022-11-23 14:02:59 UTC 
Eclipse Californium is a Java implementation of RFC7252 - Constrained Application Protocol for IoT Cloud services. In versions prior to 3.7.0, and 2.7.4, Californium is vulnerable to a Denial of Service. Failing handshakes don't cleanup counters for throttling, causing the threshold to be reached without being released again. This results in permanently dropping records. The issue was reported for certificate based handshakes, but may also affect PSK based handshakes. It generally affects client and server as well. This issue is patched in version 3.7.0 and 2.7.4. There are no known workarounds. main: commit 726bac57659410da463dcf404b3e79a7312ac0b9 2.7.x: commit 5648a0c27c2c2667c98419254557a14bac2b1f3f

https://github.com/eclipse-californium/californium/security/advisories/GHSA-p72g-cgh9-ghjg
https://github.com/eclipse-californium/californium/commit/5648a0c27c2c2667c98419254557a14bac2b1f3f
https://github.com/eclipse-californium/californium/commit/726bac57659410da463dcf404b3e79a7312ac0b9
Comment 2 errata-xmlrpc 2023-05-03 14:06:24 UTC 
This issue has been addressed in the following products:

  RHINT Camel-Springboot 3.20.1

Via RHSA-2023:2100 https://access.redhat.com/errata/RHSA-2023:2100
Comment 3 Product Security DevOps Team 2023-05-03 19:14:01 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-39368
Comment 4 errata-xmlrpc 2023-06-28 15:59:15 UTC 
This issue has been addressed in the following products:

  RHINT Camel-K-1.10.1

Via RHSA-2023:3906 https://access.redhat.com/errata/RHSA-2023:3906