CVE-2022-30791: 
NixOS vulnerability analysis and mitigation

The vulnerability (CVE-2022-30791) affects CmpBlkDrvTcp of CODESYS V3 in multiple versions. It involves an uncontrolled resource consumption vulnerability that allows an unauthorized attacker to block new TCP connections, although existing connections remain unaffected. The vulnerability was discovered in May 2022 and affects various CODESYS control and runtime systems (CERT VDE).

The vulnerability is classified as CWE-400 (Uncontrolled Resource Consumption) with a CVSS v3.1 base score of 7.5 (HIGH). The attack vector is network-accessible (AV:N), with low attack complexity (AC:L), requiring no privileges (PR:N) or user interaction (UI:N). The scope is unchanged (S:U), with no impact on confidentiality (C:N) or integrity (I:N), but high impact on availability (A:H) (NVD).

The primary impact of this vulnerability is on system availability, specifically affecting the ability to establish new TCP connections. While existing connections remain functional, the vulnerability can prevent new connections from being established, potentially disrupting network communications and system operations (CERT VDE).

CODESYS has released updates to address this vulnerability. Users should upgrade to version 4.5.0.0 or later for most affected products, including CODESYS Control for BeagleBone, Control for emPC-A/iMX6, and other affected systems. For CODESYS Control for IOT2000 SL, upgrade to version 4.6.0.0 or later is recommended (NVD).