Uploaded image for project: 'OASIS Message Queuing Telemetry Transport (MQTT) TC'
  1. OASIS Message Queuing Telemetry Transport (MQTT) TC
  2. MQTT-634

Do we need mitigation of CVE-2020-13849?

    XMLWordPrintable

    Details

    • Type: Task
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: MQTT-SN
    • Labels:
      None

      Description

      MQTT 3.1.1 has a CVE against it (https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-13849) for a DoS attack related to the Keep Alive interval.

      MQTT-SN perhaps is less vulnerable because the server has no TCP connection open, nevertheless it does hold session state and a Virtual Connection for each client.

      The Server Keep Alive returned in the CONNACK in MQTT 5 allows the server to limit the length of the Keep Alive interval to reduce any DoS attack effectiveness.

      Should we allow an optional Server Keep alive to be returned on the CONNACK too?

        Attachments

          Activity

            People

            • Assignee:
              ian.craggs Ian Craggs
              Reporter:
              ian.craggs Ian Craggs
            • Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: