Californium - CVE-2022-21449 - java 15-18

[boaks]

Just for those who use a newer jvm (15-18) with ECDSA, please consider Californium - CVE-2022-21449.

[sbernard31]

Just to be sure, I understand that using californium 3.5.0 (eclipse-californium/californium#2001) allow to use without risk a not fixed JVM, is it correct ?
For 2.x branch there is no californium release about this ? (I don't ask for this kind of release, this is just to get clarification)

[boaks]

allow to use without risk a not fixed JVM, is it correct ?

Unfortunately, Californium is only able to fix the usage in DTLS. So any user, who is using java for TLS as well, must update.

The idea of that work-around was mainly, that some java distribution seems to be delayed to publish a fixed version. The 3.5 helps in that cases, but as soon as the fixed java versions available, it's recommended to update.

[sbernard31]

I'm asking myself if I should add this kind of information to SECURITY.md

I feel it makes sense but I also a bit afraid that I finished to put any JVM security issue in it ? 🤔

Any opinions/advices ?

[boaks]

I asked my self the same questions.

The real pain for me is, that some distributions are still not have released the fix.
The level 7.5 for broken ECDSA is in my experience a 10, (it tokes me 1h to implement an successful attack). And I don't understand, why some update channels are still not offering the update versions.

Therefore I added it to the Californium SECURITY.md and also documented, how to check the used java vm in order to see, if it's broken or working.

[sbernard31]

I added some information about it at https://github.com/eclipse/leshan/security/policy#runtime-security-state, largely inspired by Californium SECURITY.md.

[boaks]

I closed the issue in Californium, though in the meantime the 17&18 vm's are updated and available.