What is CVE-2021-3909?

CVE-2021-3909 is a vulnerability in OctoRPKI that allows for a slowloris DOS attack.

How does CVE-2021-3909 impact OctoRPKI?

CVE-2021-3909 allows an attacker to perform a slowloris DOS attack on OctoRPKI, causing it to wait forever.

What is the severity of CVE-2021-3909?

CVE-2021-3909 has a severity rating of high (7.5).

Which software versions are affected by CVE-2021-3909?

The affected software versions include OctoRPKI 1.3.0 up to, but not including, 1.4.0, cfrpki 1.4.0, 1.4.2-1~deb11u1, 1.4.4-1, 1.5.10-2, fort-validator 1.5.3-1~deb11u1, 1.5.4-1, and rpki-client 8.2-2, 8.6-1.

How can CVE-2021-3909 be fixed?

To fix CVE-2021-3909, update OctoRPKI to version 1.4.0 or later, cfrpki to version 1.4.0, 1.4.2-1~deb11u1, 1.4.4-1, or 1.5.10-2, fort-validator to version 1.5.3-1~deb11u1 or 1.5.4-1, and rpki-client to version 8.2-2 or 8.6-1.

Vulnerability/
CVE-2021-3909

high

7.5

CWE

400

1/11/2021

10/11/2021

11/11/2021

16/9/2024

CVE-2021-3909: Infinite open connection causes OctoRPKI to hang forever

First published: Mon Nov 01 2021(Updated: )

OctoRPKI (github.com/cloudflare/cfrpki/cmd/octorpki) does not limit the length of a connection, allowing for a slowloris DOS attack to take place which makes OctoRPKI wait forever. Specifically, the repository that OctoRPKI sends HTTP requests to will keep the connection open for a day before a response is returned, but does keep drip feeding new bytes to keep the connection alive. ## Patches ## For more information If you have any questions or comments about this advisory email us at security@cloudflare.com

Credit: cna@cloudflare.com

Affected Software	Affected Version	How to fix
go/github.com/cloudflare/cfrpki	<1.4.0	1.4.0
Cloudflare Octorpki	<1.3.0
Debian Debian Linux	=11.0
debian/cfrpki		1.4.2-1~deb11u1 1.4.4-1 1.5.10-2
debian/fort-validator		1.5.3-1~deb11u1 1.5.4-1 1.6.1-1
debian/rpki-client	<=6.8p1-2	8.2-2 8.7-1

Remedy

Upgrade to 1.4

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2021-3909?
CVE-2021-3909 is a vulnerability in OctoRPKI that allows for a slowloris DOS attack.
How does CVE-2021-3909 impact OctoRPKI?
CVE-2021-3909 allows an attacker to perform a slowloris DOS attack on OctoRPKI, causing it to wait forever.
What is the severity of CVE-2021-3909?
CVE-2021-3909 has a severity rating of high (7.5).
Which software versions are affected by CVE-2021-3909?
The affected software versions include OctoRPKI 1.3.0 up to, but not including, 1.4.0, cfrpki 1.4.0, 1.4.2-1~deb11u1, 1.4.4-1, 1.5.10-2, fort-validator 1.5.3-1~deb11u1, 1.5.4-1, and rpki-client 8.2-2, 8.6-1.
How can CVE-2021-3909 be fixed?
To fix CVE-2021-3909, update OctoRPKI to version 1.4.0 or later, cfrpki to version 1.4.0, 1.4.2-1~deb11u1, 1.4.4-1, or 1.5.10-2, fort-validator to version 1.5.3-1~deb11u1 or 1.5.4-1, and rpki-client to version 8.2-2 or 8.6-1.

collector/github-advisory-latest
alias/GHSA-8cvr-4rrf-f244
alias/CVE-2021-3909
collector/github-advisory
collector/nvd-index
collector/security-tracker-debian
agent/type
agent/softwarecombine
agent/severity
agent/weakness
agent/author
agent/references
agent/remedy
agent/title
agent/description
agent/first-publish-date
agent/tags
collector/mitre-cve
source/MITRE
agent/last-modified-date
agent/event
agent/trending
package-manager/go
vendor/cloudflare
canonical/cloudflare octorpki
vendor/debian
canonical/debian debian linux
version/debian debian linux/11.0
package-manager/debian