Impact
Mutual TLS configuration in rpki-publication-server
did not enforce mutual TLS for clients. While the software is deployed in trusted networks, this vulnerability contradicts assumptions of the security model the software is designed to be deployed in.
Patches
Has the problem been patched? What versions should users upgrade to?
v2.0.0-rc1
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
The application SHOULD be deployed where it is only accessible from a trusted network. Operators can also deploy the application together with a service proxy (e.g. envoy) that provides authentication.
Impact
Mutual TLS configuration in
rpki-publication-server
did not enforce mutual TLS for clients. While the software is deployed in trusted networks, this vulnerability contradicts assumptions of the security model the software is designed to be deployed in.Patches
Has the problem been patched? What versions should users upgrade to?
v2.0.0-rc1
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
The application SHOULD be deployed where it is only accessible from a trusted network. Operators can also deploy the application together with a service proxy (e.g. envoy) that provides authentication.