CVE-2021-3909
Summary
| CVE | CVE-2021-3909 |
|---|
| State | PUBLIC |
|---|
| Assigner | [email protected] |
|---|
| Source Priority | CVE Program / NVD first with legacy fallback |
|---|
| Published | 2021-11-11 22:15:00 UTC |
|---|
| Updated | 2022-04-04 14:02:00 UTC |
|---|
| Description | OctoRPKI does not limit the length of a connection, allowing for a slowloris DOS attack to take place which makes OctoRPKI wait forever. Specifically, the repository that OctoRPKI sends HTTP requests to will keep the connection open for a day before a response is returned, but does keep drip feeding new bytes to keep the connection alive. |
|---|
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|
| Debian -- Security Information -- DSA-5033-1 fort-validator |
DEBIAN |
www.debian.org |
|
| Debian -- Security Information -- DSA-5041-1 cfrpki |
DEBIAN |
www.debian.org |
|
| Infinite open connection causes OctoRPKI to hang forever · Advisory · cloudflare/cfrpki · GitHub |
MISC |
github.com |
|
| CVE Program record |
CVE.ORG |
www.cve.org |
canonical |
| NVD vulnerability detail |
NVD |
nvd.nist.gov |
canonical, analysis |
Vendor Comments And Credit
Discovery Credit
LEGACY: Koen van Hove
Legacy QID Mappings
- 178979 Debian Security Update for fort-validator (DSA 5033-1)
- 178993 Debian Security Update for cfrpki (DSA 5041-1)
- 183394 Debian Security Update for rpki-clientfort-validatorcfrpki (CVE-2021-3909)
- 980109 Go (go) Security Update for github.com/cloudflare/cfrpki/cmd/octorpki (GHSA-8cvr-4rrf-f244)
