Bug 570105 - A null pointer reference exists in the wakaama project.
Summary: A null pointer reference exists in the wakaama project.
Status: RESOLVED FIXED
Alias: None
Product: Wakaama
Classification: IoT
Component: Core (show other bugs)
Version: unspecified   Edit
Hardware: PC Windows 10
: P3 normal
Target Milestone: ---   Edit
Assignee: Simon Bernard CLA
QA Contact:
URL:
Whiteboard:
Keywords: security
Depends on:
Blocks:
 
Reported: 2021-01-05 21:38 EST by L kerenl CLA
Modified: 2021-09-20 16:00 EDT (History)
3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description L kerenl CLA 2021-01-05 21:38:22 EST 
When an attacker enters an incorrect JSON format or causes an incorrect data size, the lwm2m_dm_create function references a null pointer, which may cause DoS.


The project maintainer has confirmed the problem.

https://github.com/eclipse/wakaama/issues/514

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Comment 1 Wayne Beaton CLA 2021-01-09 19:01:07 EST 
Eclipse Wakaama project committers: 

You can use the GitHub infrastructure to resolve this issue, but you'll need a CVE issued by the Eclipse Foundation (should you decide that you need one). You may also need me to push an advisory (should you decide to create one). 

There is information regarding how to deal with vulnerability reports in the handbook. Please let me know if you require a CVE.
Comment 2 Simon Bernard CLA 2021-01-11 04:15:28 EST 
Is it possible to continue the technical discussion on github ?

Wakaama project is in reviving state and the team still don't have committer right and so I guess I am the only one to be able to see that. Is it possible to add people to this issue even if there are not committer on the project ? (maybe by adding them to CC list)

I guess we are far to be able to release a v2.0 and I feel that 1.0 will not be maintained.[1][2] Just to say that I don't know when a release would be available with a fix for this.

[1]: https://github.com/eclipse/wakaama/issues/487
[2]: https://github.com/eclipse/wakaama/issues/487#issuecomment-722259355
Comment 3 Wayne Beaton CLA 2021-01-11 12:05:49 EST 
(In reply to Simon Bernard from comment #2)
> Is it possible to continue the technical discussion on github ?

Yes. I did try to state as much in Comment #1.

> Wakaama project is in reviving state and the team still don't have committer
> right and so I guess I am the only one to be able to see that. Is it
> possible to add people to this issue even if there are not committer on the
> project ? (maybe by adding them to CC list)

If you're waiting on the EMO for something regarding the committers, please send a note to emo@eclipse.org.

You can add anybody that you need in CC and they will be able to access this bug.
Comment 4 L kerenl CLA 2021-01-14 21:50:44 EST 
I've been directed to ask about the CVE status of this bug. I initially asked for one and wasn't aware it one had been allocated or not.
This problem can only be triggered locally, but I think he can cause some problems, right?
Comment 5 Simon Bernard CLA 2021-01-15 04:25:36 EST 
My current understanding is that the issue concerns only the command line parsing of the server example.

Considering this, for now I don't think a CVE or advisory is needed.

Leif, Scott any thought about this ?
Comment 6 Simon Bernard CLA 2021-02-02 10:06:02 EST 
The issue is fixed on master : https://github.com/eclipse/wakaama/issues/514

And FMPOV CVE is not needed as this just affect example command line input.

So I guess we could close this.

Scott, Leif,  any thoughts about that ?
Comment 7 Scott Bertin CLA 2021-02-02 10:13:59 EST 
I don't think a CVE is needed.
Comment 8 Wayne Beaton CLA 2021-09-20 16:00:28 EDT 
I've removed the confidentiality flag and have marked this as FIXED based on the discussion in Comment #6.