Closed michaelthomasj closed 1 year ago
DTLS ClientHello parsing in mbedTLS versions up to and including 2.28.0 and 3.1.0 have a bug where under certain build configurations, an invalid ClientHello message can extend past the buffer allocated and cause a crash or information disclosure. https://mbed-tls.readthedocs.io/en/latest/tech-updates/security-advisories/mbedtls-security-advisory-2022-07/
Update to mbedTLS v3.2.0 or newer or change the build configurations as described in the link above. FSP v4.1.0 includes mbedTLS v3.2.1.
Issue
DTLS ClientHello parsing in mbedTLS versions up to and including 2.28.0 and 3.1.0 have a bug where under certain build configurations, an invalid ClientHello message can extend past the buffer allocated and cause a crash or information disclosure. https://mbed-tls.readthedocs.io/en/latest/tech-updates/security-advisories/mbedtls-security-advisory-2022-07/
Workaround
Update to mbedTLS v3.2.0 or newer or change the build configurations as described in the link above. FSP v4.1.0 includes mbedTLS v3.2.1.