mahavirj
commented
1 year ago @mrdeep1
Thank you for taking care of this update!
Just wanted to inform you that we have been experimenting with the SBOM related tool to assist in monitoring the application against known security vulnerabilities. At this moment, if we run the tool against coap examples then it reports following vulnerabilities from coap component:
Following vulnerabilities were found. Further analysis may be required for confirmation.
CVEID: CVE-2023-35862
CPE: cpe:2.3:a:libcoap:libcoap:4.3.1:*:*:*:*:*:*:*
DETAIL: https://nvd.nist.gov/vuln/detail/CVE-2023-35862
PACKAGE: submodule-./libcoap
SPDXID: SPDXRef-SUBMODULE-coap-libcoap
libcoap 4.3.1 contains a buffer over-read via the function
coap_parse_oscore_conf_mem at coap_oscore.c.
CVEID: CVE-2023-30362
CPE: cpe:2.3:a:libcoap:libcoap:4.3.1:*:*:*:*:*:*:*
DETAIL: https://nvd.nist.gov/vuln/detail/CVE-2023-30362
PACKAGE: submodule-./libcoap
SPDXID: SPDXRef-SUBMODULE-coap-libcoap
Buffer Overflow vulnerability in coap_send function in libcoap library
4.3.1-103-g52cfd56 fixed in 4.3.1-120-ge242200 allows attackers to
obtain sensitive information via malformed pdu.As I see that corresponding fixes have been merged upstream and hence with this PR, we should have clean run for the coap examples against any known security issues. Just FYI. Thanks.
mrdeep1
Checklist
urlfield definedChange description
Update libcoap to the latest version.
Code now builds if IPv4 or IPv6 is not available.