CVE-2021-43174

Name of the Vulnerable Software and Affected Versions NLnet Labs Routinator versions 0.9.0 up to and including 0.10.1

Description The issue concerns the support of gzip transfer encoding in NLnet Labs Routinator when querying RRDP repositories. This encoding can be exploited by an RRDP repository to cause an out-of-memory crash in the affected versions of Routinator. RRDP uses XML, which allows arbitrary amounts of white space in the encoded data. The gzip scheme compresses such white space extremely well, leading to very small compressed files that become huge when being decompressed for further processing, causing Routinator to run out of memory when parsing input data waiting for the next XML element.

Recommendations For NLnet Labs Routinator versions 0.9.0 up to and including 0.10.1, consider disabling the gzip transfer encoding support when querying RRDP repositories as a temporary workaround until a patch is available. Restrict access to RRDP repositories that may exploit this issue to minimize the risk of an out-of-memory crash. Avoid using the gzip scheme for compressing data in RRDP repositories until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.