Bug 1966253 (CVE-2021-33571)
| Summary: | CVE-2021-33571 django: Possible indeterminate SSRF, RFI, and LFI attacks since validators accepted leading zeros in IPv4 addresses | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | amctagga, anharris, apevec, bbuckingham, bcoca, bcourt, bkearney, bniver, btotty, chousekn, cmeyers, davidn, ehelms, flucifre, gblomqui, gmeno, hvyas, jal233, jcammara, jhardy, jjoyce, jobarker, jschluet, jsherril, kaycoth, lhh, lpeer, lzap, mabashia, mbenjamin, mburns, mhackett, mhroncok, mhulan, michel, mmccune, mrunge, myarboro, nmoumoul, notting, orabin, osapryki, pcreech, rchan, rdopiera, relrod, rjerrido, rpetrell, sclewis, sdoran, security-response-team, sgallagh, slavek.kabrda, slinaber, smcdonal, sokeeffe, sostapov, tkuratom, vereddy |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Django 3.2.4, Django 3.1.12, Django 2.2.24 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in django. Leading zeros in octal literals aren't prohibited in IP addresses. If you used such values you could suffer from indeterminate SSRF, RFI, and LFI attacks. The highest threat from this vulnerability is to data integrity.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-09-15 18:21:17 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1973739, 1973741, 1967157, 1967158, 1967159, 1967160, 1967425, 1967426, 1967427, 1967428, 1968063, 1968066, 1968087, 1968297, 1968298, 1968299, 1972123, 1973740 | ||
| Bug Blocks: | 1966255 | ||
|
Description
Pedro Sampaio
2021-05-31 18:09:13 UTC
Created django:1.6/python-django tracking bugs for this issue: Affects: fedora-all [bug 1967425] Created python-django tracking bugs for this issue: Affects: epel-all [bug 1967426] Affects: fedora-all [bug 1967428] Affects: openstack-rdo [bug 1967427] This Django issue also has something to do with CVE-2021-29921 of Python. Here is the original discussion and report: https://bugs.python.org/issue36384 In short, Python was rejecting IPv4 with leading zeroes as ambiguously octal which got fixed in Python 3.8 but it created a regression. Further, they've fixed it in Python 3.9.5 finally. Thus validate_ipv4_address() was affected only on Python < 3.9.5. * This was the fix which got reverted in 3.8: https://github.com/python/cpython/commit/e653d4d8e820a7a004ad399530af0135b45db27a * This patch is the final fix for vulnerability in Python: https://github.com/python/cpython/pull/25099 Django also affected by the similar leading zeros in octal literals thing and this flaw is about that. // 1.11.x For 1.11.x streams, code uses following URLValidator expression: ~~~ Django-1.11.13/django/core/validators.py:83: ipv4_re = r'(?:25[0-5]|2[0-4]\d|[0-1]?\d?\d)(?:\.(?:25[0-5]|2[0-4]\d|[0-1]?\d?\d)){3}' Django-1.11.29/django/core/validators.py:83: ipv4_re = r'(?:25[0-5]|2[0-4]\d|[0-1]?\d?\d)(?:\.(?:25[0-5]|2[0-4]\d|[0-1]?\d?\d)){3}' ~~~ This are the exact expressions which are causing improper input validation of octal strings thus Django 1.11.x looks affected as well. However, this stream has ended its extended support on April 1, 2020 and we do not have its official fix from Django team: https://www.djangoproject.com/download/#supported-versions Ideal fix for Django 2.2.x looks like this: https://github.com/django/django/commit/f27c38ab5d90f68c9dd60cabef248a570c0be8fc More information about patch can be found here: https://www.djangoproject.com/weblog/2021/jun/02/security-releases/ Analysis is complete for Ansible. As a result, it was found that, AAP 1.2 is using the affected version of DJango along with the vulnerable functionality i.e. URLValidator() function/method. Ansible Components like Ansible Tower, AWX, Galaxy_NG and Pulp Core are found to be using URLValidator() function/method . However, the other affected functionalities which are validate_ipv4_address() Or validate_ipv46_address() are not in use by any components of Ansible.Again, these specific functions are vulnerable in Python version < 3.9.5+ and the current Python version being used by Ansible Components is 3.6.8. Hence, marking Ansible as "affected" by this vulnerability with "medium" severity. Tracker for Tower 3.6 has been skipped as its already EOL. This issue has been addressed in the following products: Red Hat OpenStack Platform 16.2 Via RHSA-2021:3490 https://access.redhat.com/errata/RHSA-2021:3490 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-33571 This issue has been addressed in the following products: Red Hat Satellite 6.10 for RHEL 7 Via RHSA-2021:4702 https://access.redhat.com/errata/RHSA-2021:4702 This issue has been addressed in the following products: Red Hat OpenStack Platform 16.1 Via RHSA-2021:5070 https://access.redhat.com/errata/RHSA-2021:5070 |