Currently, GitHub security advisories is not activated on eclipse project.
To report a vulnerability, your need to open a bugzilla ticket.
For more details, please look at https://www.eclipse.org/security/.
Only Leshan library is concerned. The demos are not covered.
| Version | Supported |
|---|---|
| 2.0.0 (master) | ✔️ |
| 1.x | ✔️ |
Note: ℹ️ 1.x version depends on californium 2.x version where support is not clear.
See : https://github.com/eclipse/californium/security/policy
| Version | CVE/ID | cause | affect | |
|---|---|---|---|---|
| 2.0.0-M8 + | ✔️ | |||
| 2.0.0-M6 -> 2.0.0-M7 | ❌ | CVE-2022-2576 | dependency (californium/scandium) | DTLS_VERIFY_PEERS_ ON_RESUMPTION_THRESHOLD > 0 |
| 2.0.0-M5 -> 2.0.0-M6 | ❌ | CVE-2022-2576 | dependency (californium/scandium) | DTLS_VERIFY_PEERS_ ON_RESUMPTION_THRESHOLD > 0 |
| GHSA-fj2w-wfgv-mwq6 | dependency (com.upokecenter.cbor) | CBOR or SenML-CBOR decoding | ||
| 2.0.0-M2 -> 2.0.0-M4 | ❌ | CVE-2022-2576 | dependency (californium/scandium) | DTLS_VERIFY_PEERS_ ON_RESUMPTION_THRESHOLD > 0 |
| CVE-2021-34433 | dependency (californium/scandium) | DTLS with x509 and/or RPK | ||
| GHSA-fj2w-wfgv-mwq6 | dependency (com.upokecenter.cbor) | CBOR or SenML-CBOR decoding | ||
| 2.0.0-M1 | ❌ | CVE-2022-2576 | dependency (californium/scandium) | DTLS_VERIFY_PEERS_ ON_RESUMPTION_THRESHOLD > 0 |
| CVE-2021-34433 | dependency (californium/scandium) | DTLS with x509 and/or RPK | ||
| 1.4.1 | ✔️ | |||
| 1.3.1 -> 1.4.0 | ❌ | CVE-2022-2576 | dependency (californium/scandium) | DTLS_VERIFY_PEERS_ ON_RESUMPTION_THRESHOLD > 0 |
| 1.1.0 -> 1.3.1 | ❌ | CVE-2022-2576 | dependency (californium/scandium) | DTLS_VERIFY_PEERS_ ON_RESUMPTION_THRESHOLD > 0 |
| CVE-2020-27222 CVE-2021-34433 | dependency (californium/scandium) | DTLS with x509 and/or RPK | ||
| 1.0.0 -> 1.0.2 | ❌ | CVE-2022-2576 | dependency (californium/scandium) | DTLS_VERIFY_PEERS_ ON_RESUMPTION_THRESHOLD > 0 |
| CVE-2021-34433 | dependency (californium/scandium) | DTLS with x509 and/or RPK |
Note: We strongly encourage you to switch last safe Leshan version, but for vulnerability caused by a dependency :
- if there isn't Leshan release available OR if you want to be very conservative
- AND the concerned library is using semantic versioning
then you could try to just update the dependency to a safe compatible version without upgrading Leshan.
This is a not exhaustive list of JVM security issue which could affect common Leshan usages.
| Dependency | Affected Version | Usage | Vulnerability | More Information |
|---|---|---|---|---|
| JDK / JCE | <= 15.0.2? <= 16.0.2? < 17.0.3 < 18.0.1 |
Cipher Suite based on ECDSA | ECDSA CVE-2022-21449 | eclipse-leshan#1243 |