CVE-2022-25897: 
Java vulnerability analysis and mitigation

The vulnerability CVE-2022-25897 affects the Eclipse Milo SDK Server package (org.eclipse.milo:sdk-server) versions prior to 0.6.8. This vulnerability was discovered and disclosed on August 23, 2022, by security researchers Vera Mens, Uri Katz, and Sharon Brizinov of Team82 (Claroty Research). The vulnerability allows attackers to perform a Denial of Service (DoS) attack by bypassing limitations for excessive memory consumption (Snyk Advisory).

The vulnerability is classified with a CVSS v3.1 base score of 7.5 (HIGH) according to NVD, while Snyk rates it at 5.9 (MEDIUM). The attack vector is Network-based, requiring no user interaction or privileges. The vulnerability specifically occurs when an attacker sends multiple CloseSession requests with the deleteSubscription parameter set to False, leading to excessive memory consumption. The weakness is categorized as CWE-770 (Allocation of Resources Without Limits or Throttling) (NVD Database).

When successfully exploited, this vulnerability results in a Denial of Service condition, causing a total loss of availability. The attack can lead to the system becoming completely unresponsive due to excessive memory consumption, effectively denying access to legitimate users (Snyk Advisory).

The recommended mitigation is to upgrade the org.eclipse.milo:sdk-server package to version 0.6.8 or higher. This version includes a fix that implements proper limitations on MonitoredItems creation through the OpcUaServerConfigLimits interface (GitHub Commit).