[RPKI] Security Release Routinator 0.11.3 published.

Martin Hoffmann martin at nlnetlabs.nl
Tue Sep 13 12:34:12 UTC 2022


Hi!

We have just released Routinator 0.11.3. This release fixes a
vulnerability present in Routinator 0.9.0 up to and including 0.11.2
which causes Routinator to exit if it encounters invalid data in RRDP
snapshot or delta files. We have assigned CVE-2022-3029 to this issue.

Due to a mistake in error handling, data in RRDP snapshot and delta
files that isn't correctly base 64 encoded is treated as a fatal error
and causes Routinator to exit.

Worst case impact of this vulnerability is denial of service for the
RPKI data that Routinator provides to routers. This may stop your
network from validating route origins based on RPKI data. This
vulnerability does not allow an attacker to manipulate RPKI data. We
are not aware of exploitation of this vulnerability at this point in
time.

Starting with release 0.11.3, Routinator handles encoding errors by
rejecting the snapshot or delta file and continuing with validation. In
case of an invalid delta file, it will try using the snapshot instead.
If a snapshot file is invalid, the update of the repository will fail
and an update through rsync is attempted.

We would like to thank Donika Mirdita and Haya Shulman from Fraunhofer
SIT and ATHENE for discovering and notifying us about this issue.

|
| THIS IS AN IMPORTANT SECURITY RELEASE. ALL USERS OF ROUTINATOR 0.9.0
| UP TO AND INCLUDING 0.11.2 ARE ENCOURAGED TO UPGRADE TO ROUTINATOR
| 0.11.3 AT THEIR EARLIEST CONVENIENCE.
|

For more information on the issues, see the RPKI security advisories at
   https://nlnetlabs.nl/projects/rpki/security-advisories

The full list of changes in this release is available in the release
notes at

   https://github.com/NLnetLabs/routinator/releases/tag/v0.11.3

None of these fixes change Routinator's behaviour. All users are
encouraged to update to this version. Information about updating
can be found in the Routinator docs at

   https://routinator.docs.nlnetlabs.nl/en/stable/installation.html#updating


On behalf of the NLnet Labs Routing Team,
Martin


More information about the RPKI mailing list