Bug 1854926 (CVE-2020-14422)

Summary: CVE-2020-14422 python: DoS via inefficiency in IPv{4,6}Interface classes
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: adev88, bdettelb, carl, cheimes, cstratak, dmalcolm, extras-orphan, hhorak, jdobes, jeffrey.ness, jorton, kevin, manisandro, m.cyprian, metherid, mhroncok, ncoghlan, npmccallum, pviktori, pwouters, python-maint, python-sig, rkuska, scorneli, shcherbina.iryna, slavek.kabrda, steve.traylen, tflink, thrnciar, TicoTimo, tkasparek, tomckay, tomspur, torsava, vstinner
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in the way the ipaddress python module computes hash values in the IPv4Interface and IPv6Interface classes. This flaw allows an attacker to create many dictionary entries, due to the performance of a dictionary containing the IPv4Interface or IPv6Interface objects, possibly resulting in a denial of service. The highest threat from this vulnerability is to system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-10-19 20:21:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1854930, 1854931, 1854932, 1854934, 1854936, 1854937, 1854938, 1854939, 1854940, 1854941, 1854942, 1854943, 1856382, 1856383, 1856384, 1856385, 1856386, 1857276, 1857277, 1857278, 1857279, 1857280, 1857282, 1857283, 1857284, 1857285, 1857286, 1857287, 1857288, 1857289, 1857292, 1857293, 1857294, 1858216, 1885290    
Bug Blocks: 1854944, 1854945    

Description Dhananjay Arunesh 2020-07-08 12:52:24 UTC 
A vulnerability was found in Lib/ipaddress.py in Python through 3.8.3 improperly computes hash values in the IPv4Interface and IPv6Interface classes, which might allow a remote attacker to cause a denial of service if an application is affected by the performance of a dictionary containing IPv4Interface or IPv6Interface objects, and this attacker can cause many dictionary entries to be created.

References:
https://bugs.python.org/issue41004
https://github.com/python/cpython/pull/20956
Comment 1 Dhananjay Arunesh 2020-07-08 12:56:50 UTC 
Created mingw-python3 tracking bugs for this issue:

Affects: fedora-all [bug 1854936]


Created python2 tracking bugs for this issue:

Affects: fedora-all [bug 1854931]


Created python26 tracking bugs for this issue:

Affects: fedora-all [bug 1854934]


Created python27 tracking bugs for this issue:

Affects: fedora-all [bug 1854937]


Created python3 tracking bugs for this issue:

Affects: fedora-all [bug 1854932]


Created python34 tracking bugs for this issue:

Affects: epel-all [bug 1854930]
Affects: fedora-all [bug 1854938]


Created python35 tracking bugs for this issue:

Affects: fedora-all [bug 1854939]


Created python36 tracking bugs for this issue:

Affects: fedora-all [bug 1854940]


Created python37 tracking bugs for this issue:

Affects: fedora-all [bug 1854941]


Created python38 tracking bugs for this issue:

Affects: fedora-all [bug 1854942]


Created python39 tracking bugs for this issue:

Affects: fedora-all [bug 1854943]
Comment 4 Riccardo Schirone 2020-07-15 15:12:38 UTC 
The hash value returned by IPv4Interface/IPv6Interface classes is wrongly a constant value. When an IPvXInterface object is used as key of a python dictionary, the hash value is used to determine in which hash table bucket the object needs to be put. For a large number of elements, the constant hash value transforms most dictionary operation in O(n) instead of the expected O(1), making a program much slower.
Comment 5 Riccardo Schirone 2020-07-15 15:14:01 UTC 
python3 embeds the ipaddress module, where the flaw lies. Instead python2 does not embeds it, but a separate python-ipaddress package is provided. Moreover, the ipaddress module is usually embedded in python-pip as well.
Comment 6 Riccardo Schirone 2020-07-15 15:20:37 UTC 
Statement:

In Red Hat Enterprise Linux, python3 includes the ipaddress module by default, while for python2 a separate package, python-ipaddress, needs to be installed for the module to be used. Moreover, the ipaddress module is included in other packages as well, like python-pip.
Comment 8 Riccardo Schirone 2020-07-15 15:31:17 UTC 
Created python-ipaddress tracking bugs for this issue:

Affects: fedora-all [bug 1857292]


Created python-pip tracking bugs for this issue:

Affects: epel-all [bug 1857294]
Affects: fedora-all [bug 1857293]
Comment 9 Miro HronĨok 2020-07-15 15:59:30 UTC 
Pip does not have dictionaries containing IPv4Interface or IPv6Interface objects. I don't think it's worth patching the bundled ipaddress module in it.
Comment 12 Riccardo Schirone 2020-07-17 09:21:58 UTC 
Mitigation:

As a short term solution, if your application is using the IPv4Interface/IPv6Interface classes as keys of a dictionary, it is possible to patch the __hash__ method of those classes to not be constant.
```
IPv4Interface.__hash__ = lambda self: hash((self._ip, self._prefixlen, int(self.network.network_address)))
IPv6Interface.__hash__ = lambda self: hash((self._ip, self._prefixlen, int(self.network.network_address)))
```
Comment 18 errata-xmlrpc 2020-10-19 18:05:40 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2020:4285 https://access.redhat.com/errata/RHSA-2020:4285
Comment 19 Product Security DevOps Team 2020-10-19 20:21:15 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-14422
Comment 22 errata-xmlrpc 2020-10-20 20:00:07 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2020:4299 https://access.redhat.com/errata/RHSA-2020:4299
Comment 23 errata-xmlrpc 2020-11-04 00:51:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4433 https://access.redhat.com/errata/RHSA-2020:4433
Comment 24 errata-xmlrpc 2020-11-04 02:35:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4641 https://access.redhat.com/errata/RHSA-2020:4641
Comment 26 errata-xmlrpc 2020-11-10 12:59:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:5010 https://access.redhat.com/errata/RHSA-2020:5010