Bug 1992006 (CVE-2021-29923)

Summary: CVE-2021-29923 golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aadam, abishop, admiller, ahrabovs, alazar, alegrand, alitke, amctagga, amuller, amurdaca, anharris, anpicker, aoconnor, aos-bugs, asm, aucunnin, bbennett, bdettelb, bmontgom, bniver, bodavis, caswilli, cnv-qe-bugs, dahernan, dbecker, dbenoit, deparker, dfreiber, dhanak, doconnor, dornelas, drow, dsimansk, dwalsh, dwhatley, dymurray, eglynn, emachado, eparis, erooth, etamir, fdeutsch, fdupont, flucifre, gmeno, godas, hchiramm, hvyas, ibolton, jakob, jarrpa, jburrell, jcajka, jcosta, jjoyce, jligon, jmatthew, jmontleo, jmulligan, jnovy, joelsmith, jokerman, jpadman, jschluet, jshaughn, jwendell, jwon, kakkoyun, kaycoth, kconner, kingland, krathod, kverlaen, kwiesmul, lball, lemenkov, lgamliel, lhh, lhinds, lmadsen, lmeyer, lpeer, lsm5, lsvaty, madam, maszulik, matzew, mbenjamin, mburns, mfilanov, mfojtik, mgarciac, mhackett, mmagr, mnewsome, mnovotny, mrajanna, mrunge, mrussell, mstoklus, mthoemme, muagarwa, mwringe, nalin, nbecker, nobody, nstielau, ocs-bugs, orabin, oramraz, pgaikwad, pgrist, phoracek, pleimer, ploffay, proguski, pthomas, puebele, rcernich, rdey, rfreiman, rhcos-triage, rhs-bugs, rhuss, rjohnson, rogbas, rphillips, rrajasek, rtalur, sabose, sausingh, sbatsche, sclewis, sfowler, sgott, skontopo, slinaber, slucidi, smullick, snikolov, sostapov, spasquie, sponnaga, sseago, stirabos, sttts, tcullum, teagle, team-winc, thason, tnielsen, tomckay, tschelle, tstellar, tsweeney, twalsh, umohnani, vbatts, vereddy, vimartin, vkumar, xxia, ypadia
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: go 1.17.0 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in golang. Extraneous zero characters at the beginning of an IP address octet are not properly considered which could allow an attacker to bypass IP-based access controls. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-09-07 14:33:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1993110, 1993111, 1993112, 1993113, 1993114, 1993115, 1992001, 1992002, 1992003, 1992007, 1992008, 1992009, 1992903, 1992904, 1992905, 1992906, 1992907, 1992908, 1992909, 1992910, 1992911, 1992912, 1993314, 1993315, 1993316, 1993411, 1993412, 1993413, 1993414, 1993415, 1993416, 1993417, 1994008, 1994010, 1994510, 1994511, 1994512, 1994513, 1994514, 1994515, 1994516, 1994517, 1994518, 1994519, 1994522, 1994523, 1994524, 1994525, 1994526, 1994527, 1994528, 1994529, 1994530, 1994531, 1994532, 1994533, 1994534, 1994535, 1994536, 1994537, 1994538, 1994539, 1994540, 1994541, 1994542, 1994543, 1994544, 1994546, 1994547, 1994548, 1994549, 1994550, 1994551, 1994552, 1994553, 1994554, 1994555, 1994556, 1994557, 1994558, 1994559, 1994560, 1994561, 1994562, 1994563, 1994564, 1994565, 1994566, 1994567, 1994568, 1994569, 1994570, 1994571, 1994572, 1994573, 1994574, 1994575, 1994576, 1995212, 1995213, 1995214, 1995215, 1995216, 1995217, 1995218, 1995219, 1995220, 1995221, 1995222, 1995223, 1995225, 1995227, 1995328, 1999241, 1999242, 1999243, 1999359, 2005060    
Bug Blocks: 1992010    

Description Guilherme de Almeida Suckevicz 2021-08-10 14:27:44 UTC 
Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation. This affects net.ParseIP and net.ParseCIDR.

References:
https://github.com/golang/go/issues/30999
https://github.com/golang/go/issues/43389
https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-016.md

Upstream patch:
https://go-review.googlesource.com/c/go/+/325829/
Comment 1 Guilherme de Almeida Suckevicz 2021-08-10 14:28:26 UTC 
Created etcd tracking bugs for this issue:

Affects: openstack-rdo [bug 1992008]


Created golang tracking bugs for this issue:

Affects: epel-all [bug 1992007]
Affects: fedora-all [bug 1992009]
Comment 2 lnacshon 2021-08-11 11:05:06 UTC 
This an issue in GO that affects net.ParseCIDR POC https://play.golang.org/p/HpWqhr9tZ53, the function accepts any IP address and not checking for the prefix when a CIDR is used. Its also not rejecting an IP address that are leading with ZEROs
Comment 3 Przemyslaw Roguski 2021-08-11 19:04:18 UTC 
The upstream fix:
https://go-review.googlesource.com/c/go/+/325829/
Added to the (not released yet) Go 1.17.0
Comment 4 Lokesh Mandvekar 2021-08-11 20:37:58 UTC 
Hi, does this imply all tools on all of our products / distros using net.ParseCIDR will need to be rebuilt with Go 1.17.0 ?
Comment 29 errata-xmlrpc 2021-09-07 08:36:03 UTC 
This issue has been addressed in the following products:

  Red Hat Developer Tools

Via RHSA-2021:3431 https://access.redhat.com/errata/RHSA-2021:3431
Comment 30 Product Security DevOps Team 2021-09-07 14:33:30 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-29923
Comment 31 errata-xmlrpc 2021-09-21 08:41:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:3585 https://access.redhat.com/errata/RHSA-2021:3585
Comment 32 errata-xmlrpc 2021-11-17 15:35:37 UTC 
This issue has been addressed in the following products:

  RHEL-8-CNV-2.6
  RHEL-7-CNV-2.6

Via RHSA-2021:4722 https://access.redhat.com/errata/RHSA-2021:4722
Comment 33 errata-xmlrpc 2021-11-17 18:39:54 UTC 
This issue has been addressed in the following products:

  RHEL-8-CNV-2.6

Via RHSA-2021:4725 https://access.redhat.com/errata/RHSA-2021:4725
Comment 34 errata-xmlrpc 2021-12-01 17:24:00 UTC 
This issue has been addressed in the following products:

  RHACS-3.67-RHEL-8

Via RHSA-2021:4902 https://access.redhat.com/errata/RHSA-2021:4902
Comment 35 errata-xmlrpc 2021-12-02 14:25:07 UTC 
This issue has been addressed in the following products:

  RHEL-7-CNV-4.8
  RHEL-8-CNV-4.8

Via RHSA-2021:4910 https://access.redhat.com/errata/RHSA-2021:4910
Comment 36 errata-xmlrpc 2021-12-02 17:00:47 UTC 
This issue has been addressed in the following products:

  RHEL-8-CNV-4.8

Via RHSA-2021:4914 https://access.redhat.com/errata/RHSA-2021:4914
Comment 37 errata-xmlrpc 2022-01-24 13:51:13 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2022:0237 https://access.redhat.com/errata/RHSA-2022:0237
Comment 38 errata-xmlrpc 2022-01-25 13:53:45 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.1

Via RHSA-2022:0260 https://access.redhat.com/errata/RHSA-2022:0260
Comment 39 errata-xmlrpc 2022-01-27 16:56:32 UTC 
This issue has been addressed in the following products:

  Red Hat Openshit distributed tracing 2.1

Via RHSA-2022:0318 https://access.redhat.com/errata/RHSA-2022:0318
Comment 40 errata-xmlrpc 2022-02-03 15:13:11 UTC 
This issue has been addressed in the following products:

  RHACS-3.68-RHEL-8

Via RHSA-2022:0431 https://access.redhat.com/errata/RHSA-2022:0431
Comment 41 errata-xmlrpc 2022-02-03 16:07:40 UTC 
This issue has been addressed in the following products:

  Openshift Serverless 1 on RHEL 8

Via RHSA-2022:0432 https://access.redhat.com/errata/RHSA-2022:0432
Comment 42 errata-xmlrpc 2022-02-03 18:25:02 UTC 
This issue has been addressed in the following products:

  Openshift Serveless 1.20

Via RHSA-2022:0434 https://access.redhat.com/errata/RHSA-2022:0434
Comment 45 errata-xmlrpc 2022-02-23 12:51:02 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.9

Via RHSA-2022:0557 https://access.redhat.com/errata/RHSA-2022:0557
Comment 46 errata-xmlrpc 2022-02-23 13:55:53 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.9

Via RHSA-2022:0561 https://access.redhat.com/errata/RHSA-2022:0561
Comment 50 errata-xmlrpc 2022-03-16 15:49:50 UTC 
This issue has been addressed in the following products:

  RHEL-8-CNV-4.10

Via RHSA-2022:0947 https://access.redhat.com/errata/RHSA-2022:0947
Comment 51 errata-xmlrpc 2022-03-23 22:27:12 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2022:0998 https://access.redhat.com/errata/RHSA-2022:0998
Comment 52 errata-xmlrpc 2022-03-23 22:27:38 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2022:0997 https://access.redhat.com/errata/RHSA-2022:0997
Comment 53 errata-xmlrpc 2022-03-24 10:57:09 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.1

Via RHSA-2022:0989 https://access.redhat.com/errata/RHSA-2022:0989
Comment 54 errata-xmlrpc 2022-03-24 10:58:05 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.1

Via RHSA-2022:0988 https://access.redhat.com/errata/RHSA-2022:0988
Comment 55 errata-xmlrpc 2022-03-28 09:36:12 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.10

Via RHSA-2022:0577 https://access.redhat.com/errata/RHSA-2022:0577
Comment 56 errata-xmlrpc 2022-04-07 17:58:48 UTC 
This issue has been addressed in the following products:

  OpenShift Service Mesh 2.0

Via RHSA-2022:1276 https://access.redhat.com/errata/RHSA-2022:1276
Comment 57 errata-xmlrpc 2022-04-13 18:49:08 UTC 
This issue has been addressed in the following products:

  RHODF-4.10-RHEL-8

Via RHSA-2022:1372 https://access.redhat.com/errata/RHSA-2022:1372