Koen Van Der Hove

**Name of the Vulnerable Software and Affected Versions** NLnet Labs Routinator versions prior to 0.10.2 **Description** A validation run can be delayed significantly by an RRDP repository by not answering but slowly drip-feeding bytes to keep the connection alive. This can be used to effectively stall validation. While Routinator has a configurable time-out value for RRDP connections, this time-out was only applied to individual read or write operations rather than the complete request. Thus, if an RRDP repository sends a little bit of data before that time-out expired, it can continuously extend the time it takes for the request to finish. Since validation will only continue once the update of an RRDP repository has concluded, this delay will cause validation to stall, leading to Routinator continuing to serve the old data set or, if in the initial validation run directly after starting, never serve any data at all. **Recommendations** For NLnet Labs Routinator versions prior to 0.10.2, update to version 0.10.2 or later to resolve the issue. As a temporary workaround, consider adjusting the configurable time-out value for RRDP connections to a lower value to minimize the risk of validation stalling. Additionally, restrict access to RRDP repositories that may be used to exploit this issue until the update is applied.

**Name of the Vulnerable Software and Affected Versions** NLnet Labs Routinator versions 0.9.0 up to and including 0.10.1 **Description** The issue concerns the support of gzip transfer encoding in NLnet Labs Routinator when querying RRDP repositories. This encoding can be exploited by an RRDP repository to cause an out-of-memory crash in the affected versions of Routinator. RRDP uses XML, which allows arbitrary amounts of white space in the encoded data. The gzip scheme compresses such white space extremely well, leading to very small compressed files that become huge when being decompressed for further processing, causing Routinator to run out of memory when parsing input data waiting for the next XML element. **Recommendations** For NLnet Labs Routinator versions 0.9.0 up to and including 0.10.1, consider disabling the gzip transfer encoding support when querying RRDP repositories as a temporary workaround until a patch is available. Restrict access to RRDP repositories that may exploit this issue to minimize the risk of an out-of-memory crash. Avoid using the gzip scheme for compressing data in RRDP repositories until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.