Infinite open connection causes OctoRPKI to hang forever
CVE-2021-3909

4.4MEDIUM

Key Information:

Vendor: Cloudflare
Status: Octorpki
Vendor: CVE Published:; 1 November 2021

What is CVE-2021-3909?

OctoRPKI does not limit the length of a connection, allowing for a slowloris DOS attack to take place which makes OctoRPKI wait forever. Specifically, the repository that OctoRPKI sends HTTP requests to will keep the connection open for a day before a response is returned, but does keep drip feeding new bytes to keep the connection alive.

Affected Version(s)

octorpki < 1.4.0

References

https://github.com/cloudflare/cfrpki/security/advisories/...

x_refsource_MISC

https://www.debian.org/security/2021/dsa-5033

vendor-advisoryx_refsource_DEBIAN

https://www.debian.org/security/2022/dsa-5041

vendor-advisoryx_refsource_DEBIAN

CVSS V3.1

Score:

4.4

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 1, 2021
Vulnerability Reserved
Oct 26, 2021

Credit

Koen van Hove

Cloudflare

What is CVE-2021-3909?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit