New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Californium - CVE-2022-21449 - java 15-18 #1243
Comments
Just to be sure, I understand that using californium 3.5.0 (eclipse-californium/californium#2001) allow to use without risk a not fixed JVM, is it correct ? |
Unfortunately, Californium is only able to fix the usage in DTLS. So any user, who is using java for TLS as well, must update. The idea of that work-around was mainly, that some java distribution seems to be delayed to publish a fixed version. The 3.5 helps in that cases, but as soon as the fixed java versions available, it's recommended to update. |
I'm asking myself if I should add this kind of information to SECURITY.md I feel it makes sense but I also a bit afraid that I finished to put any JVM security issue in it ? 🤔 Any opinions/advices ? |
I asked my self the same questions. The real pain for me is, that some distributions are still not have released the fix. Therefore I added it to the Californium SECURITY.md and also documented, how to check the used java vm in order to see, if it's broken or working. |
I added some information about it at https://github.com/eclipse/leshan/security/policy#runtime-security-state, largely inspired by Californium SECURITY.md. |
I closed the issue in Californium, though in the meantime the 17&18 vm's are updated and available. |
Just for those who use a newer jvm (15-18) with ECDSA, please consider Californium - CVE-2022-21449.
The text was updated successfully, but these errors were encountered: