UBUNTU-CVE-2021-43172

See a problem?
Please try reporting it to the source first.
Source
https://ubuntu.com/security/CVE-2021-43172
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2021/UBUNTU-CVE-2021-43172.json
JSON Data
https://api.osv.dev/v1/vulns/UBUNTU-CVE-2021-43172
Related
Published
2021-11-09T17:15:00Z
Modified
2024-10-15T14:08:28Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

NLnet Labs Routinator prior to 0.10.2 happily processes a chain of RRDP repositories of infinite length causing it to never finish a validation run. In RPKI, a CA can choose the RRDP repository it wishes to publish its data in. By continuously generating a new child CA that only consists of another CA using a different RRDP repository, a malicious CA can create a chain of CAs of de-facto infinite length. Routinator prior to version 0.10.2 did not contain a limit on the length of such a chain and will therefore continue to process this chain forever. As a result, the validation run will never finish, leading to Routinator continuing to serve the old data set or, if in the initial validation run directly after starting, never serve any data at all.

References

Affected packages

Ubuntu:20.04:LTS / fort-validator

Package

Name
fort-validator
Purl
pkg:deb/ubuntu/fort-validator?arch=src?distro=focal

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.1.1-2
1.1.2-1
1.1.3-1
1.2.0-1

Ecosystem specific 

{
    "ubuntu_priority": "low"
}

Ubuntu:22.04:LTS / cfrpki

Package

Name
cfrpki
Purl
pkg:deb/ubuntu/cfrpki?arch=src?distro=jammy

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.2.2-1
1.3.0-1
1.4.0-1
1.4.2-1

Ecosystem specific 

{
    "ubuntu_priority": "low"
}

Ubuntu:22.04:LTS / fort-validator

Package

Name
fort-validator
Purl
pkg:deb/ubuntu/fort-validator?arch=src?distro=jammy

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.5.1-1
1.5.2-1
1.5.3-1
1.5.3-1build1

Ecosystem specific 

{
    "ubuntu_priority": "low"
}

Ubuntu:22.04:LTS / rpki-client

Package

Name
rpki-client
Purl
pkg:deb/ubuntu/rpki-client?arch=src?distro=jammy

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
7.6-1

Affected versions

6.*

6.8p1-2

7.*

7.3-1
7.4-1
7.5-1
7.5-1build1

Ecosystem specific 

{
    "availability": "No subscription required",
    "ubuntu_priority": "low",
    "binaries": [
        {
            "binary_version": "7.6-1",
            "binary_name": "rpki-client"
        },
        {
            "binary_version": "7.6-1",
            "binary_name": "rpki-client-dbgsym"
        }
    ]
}

Ubuntu:24.10 / fort-validator

Package

Name
fort-validator
Purl
pkg:deb/ubuntu/fort-validator?arch=src?distro=oracular

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.6.1-1build3
1.6.2-1

Ecosystem specific 

{
    "ubuntu_priority": "low"
}

Ubuntu:24.04:LTS / fort-validator

Package

Name
fort-validator
Purl
pkg:deb/ubuntu/fort-validator?arch=src?distro=noble

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.5.4-1
1.6.1-1
1.6.1-1build2
1.6.1-1build3

Ecosystem specific 

{
    "ubuntu_priority": "low"
}