CVE-2022-3616 – OctoRPKI crash when maximum iterations number is reached
https://notcve.org/view.php?id=CVE-2022-3616
Attackers can create long chains of CAs that would lead to OctoRPKI exceeding its max iterations parameter. In consequence it would cause the program to crash, preventing it from finishing the validation and leading to a denial of service. Credits to Donika Mirdita and Haya Shulman - Fraunhofer SIT, ATHENE, who discovered and reported this vulnerability. Los atacantes pueden crear largas cadenas de CA que llevarían a OctoRPKI a exceder su parámetro máximo de iterations. En consecuencia provocaría que el programa colapsara, impidiendo que finalice la validación y provocando una Denegación de Servicio. • https://github.com/cloudflare/cfrpki/security/advisories/GHSA-pmw9-567p-68pc • CWE-754: Improper Check for Unusual or Exceptional Conditions CWE-834: Excessive Iteration •
CVE-2021-3912 – OctoRPKI crashes when processing GZIP bomb returned via malicious repository
https://notcve.org/view.php?id=CVE-2021-3912
OctoRPKI tries to load the entire contents of a repository in memory, and in the case of a GZIP bomb, unzip it in memory, making it possible to create a repository that makes OctoRPKI run out of memory (and thus crash). OctoRPKI intenta cargar todo el contenido de un repositorio en memoria, y en el caso de una bomba GZIP, descomprimirlo en memoria, haciendo posible crear un repositorio que hace que OctoRPKI se quede sin memoria (y por tanto se bloquee) • https://github.com/cloudflare/cfrpki/security/advisories/GHSA-g9wh-3vrx-r7hg https://www.debian.org/security/2022/dsa-5041 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVE-2021-3911 – Misconfigured IP address field in ROA leads to OctoRPKI crash
https://notcve.org/view.php?id=CVE-2021-3911
If the ROA that a repository returns contains too many bits for the IP address then OctoRPKI will crash. Si el ROA que devuelve un repositorio contiene demasiados bits para la dirección IP, OctoRPKI será bloqueado • https://github.com/cloudflare/cfrpki/security/advisories/GHSA-w6ww-fmfx-2x22 https://www.debian.org/security/2022/dsa-5041 • CWE-20: Improper Input Validation CWE-252: Unchecked Return Value •
CVE-2021-3910 – NUL character in ROA causes OctoRPKI to crash
https://notcve.org/view.php?id=CVE-2021-3910
OctoRPKI crashes when encountering a repository that returns an invalid ROA (just an encoded NUL (\0) character). OctoRPKI es bloqueado cuando encuentra un repositorio que devuelve un ROA inválido (sólo un carácter NUL (\0) codificado) • https://github.com/cloudflare/cfrpki/security/advisories/GHSA-5mxh-2qfv-4g7j https://www.debian.org/security/2022/dsa-5041 • CWE-20: Improper Input Validation •
CVE-2021-3909 – Infinite open connection causes OctoRPKI to hang forever
https://notcve.org/view.php?id=CVE-2021-3909
OctoRPKI does not limit the length of a connection, allowing for a slowloris DOS attack to take place which makes OctoRPKI wait forever. Specifically, the repository that OctoRPKI sends HTTP requests to will keep the connection open for a day before a response is returned, but does keep drip feeding new bytes to keep the connection alive. OctoRPKI no limita la duración de una conexión, permitiendo que se produzca un ataque slowloris DOS que hace que OctoRPKI espere eternamente. En concreto, el repositorio al que OctoRPKI envía peticiones HTTP mantendrá la conexión abierta durante un día antes de que se devuelva una respuesta, pero sigue alimentando con nuevos bytes para mantener viva la conexión • https://github.com/cloudflare/cfrpki/security/advisories/GHSA-8cvr-4rrf-f244 https://www.debian.org/security/2021/dsa-5033 https://www.debian.org/security/2022/dsa-5041 • CWE-400: Uncontrolled Resource Consumption •