低危 nlnetlabs routinator 对异常条件的处理不恰当
CVE编号
CVE-2021-43173利用情况
暂无补丁情况
官方补丁披露时间
2021-11-10漏洞描述
In NLnet Labs Routinator prior to 0.10.2, a validation run can be delayed significantly by an RRDP repository by not answering but slowly drip-feeding bytes to keep the connection alive. This can be used to effectively stall validation. While Routinator has a configurable time-out value for RRDP connections, this time-out was only applied to individual read or write operations rather than the complete request. Thus, if an RRDP repository sends a little bit of data before that time-out expired, it can continuously extend the time it takes for the request to finish. Since validation will only continue once the update of an RRDP repository has concluded, this delay will cause validation to stall, leading to Routinator continuing to serve the old data set or, if in the initial validation run directly after starting, never serve any data at all.解决建议
建议您更新当前系统或软件至最新版,完成漏洞的修复。
参考链接 |
|
|---|---|
| https://www.debian.org/security/2021/dsa-5033 | |
| https://www.debian.org/security/2022/dsa-5041 | |
| https://www.nlnetlabs.nl/downloads/routinator/CVE-2021-43172_CVE-2021-43173_C... |
受影响软件情况
| # | 类型 | 厂商 | 产品 | 版本 | 影响面 | ||||
| 1 | |||||||||
|---|---|---|---|---|---|---|---|---|---|
| 运行在以下环境 | |||||||||
| 应用 | nlnetlabs | routinator | * | Up to (excluding) 0.10.2 | |||||
| 运行在以下环境 | |||||||||
| 系统 | debian_11 | cfrpki | * | Up to (excluding) 1.5.3-1~deb11u1 | |||||
| 运行在以下环境 | |||||||||
| 系统 | debian_12 | cfrpki | * | Up to (excluding) 1.5.3-1 | |||||
| 运行在以下环境 | |||||||||
| 系统 | debian_sid | cfrpki | * | Up to (excluding) 1.5.3-1 | |||||
- 攻击路径 本地
- 攻击复杂度 困难
- 权限要求 无需权限
- 影响范围 越权影响
- EXP成熟度 未验证
- 补丁情况 官方补丁
- 数据保密性 无影响
- 数据完整性 无影响
- 服务器危害 无影响
- 全网数量 N/A
| CWE-ID | 漏洞类型 |
| CWE-400 | 未加控制的资源消耗(资源穷尽) |
| CWE-755 | 对异常条件的处理不恰当 |
Exp相关链接
版权声明
本站原创文章转载请注明文章出处及链接,谢谢合作!
评论