CVE-2022-29222
Description
Pion DTLS is a Go implementation of Datagram Transport Layer Security. Prior to version 2.1.5, a DTLS Client could provide a Certificate that it doesn't posses the private key for and Pion DTLS wouldn't reject it. This issue affects users that are using Client certificates only. The connection itself is still secure. The Certificate provided by clients can't be trusted when using a Pion DTLS server prior to version 2.1.5. Users should upgrade to version 2.1.5 to receive a patch. There are currently no known workarounds.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
OS impact
Debian Fixed 4 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Fixed | 2.2.0-1 |
| sid | Fixed | 2.2.0-1 |
| forky | Fixed | 2.2.0-1 |
| bookworm | Fixed | 2.2.0-1 |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Go | github.com/pion/dtls | <2.1.5 | 2.1.5 |
| Go | github.com/pion/dtls/v2 | <2.1.5 | 2.1.5 |
References
- https://github.com/pion/dtls/security/advisories/GHSA-w45j-f832-hxvh
- https://nvd.nist.gov/vuln/detail/CVE-2022-29222
- https://github.com/pion/dtls/commit/d2f797183a9f044ce976e6df6f362662ca722412
- https://github.com/pion/dtls/releases/tag/v2.1.5
- https://pkg.go.dev/vuln/GO-2022-0462
- github.com/pion/dtls
- https://security-tracker.debian.org/tracker/CVE-2022-29222
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.