CVE-2021-34433

Summary

In Eclipse Californium version 2.0.0 to 2.6.4 and 3.0.0-M1 to 3.0.0-M3, the certificate based (x509 and RPK) DTLS handshakes accidentally succeeds without verifying the server side's signature on the client side, if that signature is not included in the server's ServerKeyExchange.

Affected Software

VendorProductVersion RangeStatus
The Eclipse FoundationEclipse Californium2.0.0 < unspecifiedaffected
The Eclipse FoundationEclipse Californiumunspecified <= 2.6.4affected
The Eclipse FoundationEclipse Californium3.0.0-M1 < unspecifiedaffected
The Eclipse FoundationEclipse Californiumunspecified <= 3.0.0-M3affected

Weaknesses

  • CWE-322: CWE-322: Key Exchange without Entity Authentication

ADP Enrichment

CVE Program Container

Additional References

References