To report a Security issue, you can :
- (Preferred way ⭐) create a new Github Security Advisories, using this form,
- open a gitlab issue,
- send an email to security@eclipse-foundation.org.
For more details, please look at :
Only Leshan library is concerned. The demos are not covered.
| Version | Supported |
|---|---|
| 2.x | ✔️ |
| 1.x | ✔️ |
Note: ℹ️ 1.x version depends on californium 2.x version where support is not clear.
See : https://github.com/eclipse/californium/security/policy
As said previously Leshan demos are not covered by Security Policy.
It is strongly discouraged to use Leshan demos v1.x on public server because they are using no longer maintained javascript library like :
- bootstrap.js (pkg:javascript/bootstrap@3.4.1) : Bootstrap before 4.0.0 is end-of-life and no longer maintained.
- jquery-2.2.4.js (pkg:javascript/jquery@2.2.4) : CVE-2015-9251, CVE-2019-11358, CVE-2020-11022, CVE-2020-11023, jQuery 1.x and 2.x are End-of-Life and no longer receiving security updates
Concerning Leshan demos v2.x, some minimal efforts are made to update dependencies when vulnerabilities are detected but keep in mind that demos are not production ready tools.
List of version which are not affected by known vulnerability.
| Version | |
|---|---|
| 2.0.0-M13 + | ✔️ |
| 1.5.0 + | ✔️ |
This is an exhaustive list of known security issue affecting leshan library :
| CVE/ID | Leshan version concerned | artifacts | Affect |
|---|---|---|---|
| CVE-2023-41034 GHSA-wc9j-gc65-3cm7 |
2.0.0-M1 -> 2.0.0-M12 1.0.0 -> 1.4.2 |
leshan-core | if you parse untrusted DDF files (e.g. if they let external users provide their own model), |
This is a not exhaustive list of security issue from Leshan dependencies which could affect Leshan :
| CVE/ID | Leshan version concerned | Source | Affect |
|---|---|---|---|
| CVE-2022-39368 | 2.0.0-M1 -> 2.0.0-M8 1.0.0 -> 1.4.1 |
californium/scandium | any DTLS usage |
| CVE-2022-2576 | 2.0.0-M1 -> 2.0.0-M7 1.0.0 -> 1.4.0 |
californium/scandium | DTLS_VERIFY_PEERS_ ON_RESUMPTION_THRESHOLD > 0 |
| GHSA-fj2w-wfgv-mwq6 | 2.0.0-M2 -> 2.0.0-M4 | com.upokecenter.cbor | CBOR or SenML-CBOR decoding |
| CVE-2020-27222 | 1.1.0 -> 1.3.1 | californium/scandium | DTLS with x509 and/or RPK |
| CVE-2021-34433 | 2.0.0-M1 -> 2.0.0-M4 1.0.0 -> 1.3.1 |
californium/scandium | DTLS with x509 and/or RPK |
Note: We strongly encourage you to switch last safe Leshan version, but for vulnerability caused by a dependency :
- if there isn't Leshan release available OR if you want to be very conservative
- AND the concerned library is using semantic versioning
then you could try to just update the dependency to a safe compatible version without upgrading Leshan.
This is a not exhaustive list of JVM security issue which could affect common Leshan usages.
| Dependency | Affected Version | Usage | Vulnerability | More Information |
|---|---|---|---|---|
| JDK / JCE | <= 15.0.2? <= 16.0.2? < 17.0.3 < 18.0.1 |
Cipher Suite based on ECDSA | ECDSA CVE-2022-21449 | #1243 |