A vulnerability has been discovered in Krill. We are assigning CVE-2023-0158 and we are categorizing the vulnerability with a MEDIUM severity for Krill. == Summary Krill can be used to operate an RPKI Publication Server. If used in this way, it is recommended that the RPKI repository "RRDP" (RFC 8182) content is served using a separate and dedicated web server. See documentation for Krill 0.12.0: https://krill.docs.nlnetlabs.nl/en/0.12.0/publication-server.html#synchronise-repository-data However, Krill also supports direct access to this repository content through its built-in web server at the "/rrdp" endpoint. It was discovered that certain queries to this endpoint can cause Krill to crash. == Affected products Krill up to and including 0.12.0 if it is used as an RPKI Publication Server and if its "/rrdp" endpoint is accessible over to the internet. == Description It was discovered that a direct query for any existing directory under "/rrdp/", rather than an RRDP file such as "/rrdp/notification.xml" as would be expected, causes Krill to crash. If the built-in "/rrdp" endpoint is exposed directly to the internet, then malicious remote parties can cause the publication server to crash. The repository content is not affected by this, but the availability of the server and repository can cause issues if this attack is persistent and is not mitigated. == Solution The preferred solution is to follow the documented recommendation to use a separate web server for the RRDP content, and disable direct access to the "/rrdp" endpoint. This solution is (and was) preferred because dedicated web servers are much better suited to handle high load HTTP traffic compared to the built-in HTTP application server. Upgrading to 0.12.1 will also ensure that Krill will no longer crash as a result of direct queries to the "/rrdp" endpoint. == Acknowledgments We would like to thank user KittensAreDaBest on GitHub for discovering and disclosing the vulnerability.