QID 980654

QID 980654: Go (go) Security Update for github.com/cloudflare/cfrpki (GHSA-c8xp-8mf3-62h9)

Any CA issuer in the RPKI can trick OctoRPKI prior to https://github.com/cloudflare/cfrpki/commit/a8db4e009ef217484598ba1fd1c595b54e0f6422 into emitting an invalid VRP "MaxLength" value, causing RTR sessions to terminate.

An attacker can use this to disable RPKI Origin Validation in a victim network (for example AS 13335 - Cloudflare) prior to launching a BGP hijack which during normal operations would be rejected as "RPKI invalid". Additionally, in certain deployments RTR session flapping in and of itself also could cause BGP routing churn, causing availability issues.

CVSS V3 rated as High - 7.5 severity.

CVSS V2 rated as Medium - 5 severity.

Solution

https://github.com/cloudflare/cfrpki/commit/a8db4e009ef217484598ba1fd1c595b54e0f6422

https://github.com/cloudflare/cfrpki/releases/tag/v1.3.0

Vendor References

GHSA-c8xp-8mf3-62h9 - github.com/advisories/GHSA-c8xp-8mf3-62h9

CVEs related to QID 980654

CVE-2021-3761 |

Software Advisories

Advisory ID	Software	Component	Link
GHSA-c8xp-8mf3-62h9	github.com/cloudflare/cfrpki		github.com/advisories/GHSA-c8xp-8mf3-62h9

By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].