Bug 2042493

Summary: No way to verify if IPs with leading zeros are still valid in the apiserver
Product: OpenShift Container Platform Reporter: Antonio Ojea <aojeagar>
Component: kube-apiserverAssignee: Antonio Ojea <aojeagar>
Status: CLOSED ERRATA QA Contact: Rahul Gangwar <rgangwar>
Severity: high Docs Contact:
Priority: high    
Version: 4.10CC: aos-bugs, mfojtik, rgangwar, xxia
Target Milestone: ---   
Target Release: 4.10.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-03-10 16:40:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2043807, 2073153    

Description Antonio Ojea 2022-01-19 15:38:34 UTC
Add an integration test to verify that IPs with leading zeros are still allowed by the API server.
This test guarantee that data that was previous valid (containing IPs with leading zeros) remains valid.

Ref CVE-2021-29923

Comment 4 Rahul Gangwar 2022-01-25 12:21:02 UTC
oc get clusterversion
NAME      VERSION                              AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.10.0-0.nightly-2022-01-24-070025   True        False         5h37m   Cluster version is 4.10.0-0.nightly-2022-01-24-070025

Creating service with leading 0's in IP

apiVersion: v1
kind: Service
metadata:
  name: test
  namespace: default
spec:
  clusterIP: 172.16.001.008
  ports:
  - name: "80"
    port: 80
    protocol: TCP
    targetPort: 80
  selector:
    app: test
  type: ClusterIP

oc create -f test.yaml --loglevel=9
I0125 17:41:47.104925   26383 loader.go:379] Config loaded from file:  /Users/rahulgangwar/office-work/kubeconfig/kube.124.txt
I0125 17:41:47.110959   26383 request.go:1107] Request Body: {"apiVersion":"v1","kind":"Service","metadata":{"name":"test2","namespace":"default"},"spec":{"clusterIP":"172.30.001.009","ports":[{"name":"80","port":80,"protocol":"TCP","targetPort":80}],"selector":{"app":"test2"},"type":"ClusterIP"}}
I0125 17:41:47.111047   26383 round_trippers.go:425] curl -k -v -XPOST  -H "Content-Type: application/json" -H "User-Agent: oc/4.7.0 (darwin/amd64) kubernetes/9b9f77a" -H "Accept: application/json" 'https://api.rgangwar-25de.qe.devcluster.openshift.com:6443/api/v1/namespaces/default/services?fieldManager=kubectl-create'
I0125 17:41:48.205013   26383 round_trippers.go:445] POST https://api.rgangwar-25de.qe.devcluster.openshift.com:6443/api/v1/namespaces/default/services?fieldManager=kubectl-create 201 Created in 1093 milliseconds
I0125 17:41:48.205122   26383 round_trippers.go:451] Response Headers:
I0125 17:41:48.205150   26383 round_trippers.go:454]     Content-Type: application/json
I0125 17:41:48.205168   26383 round_trippers.go:454]     Content-Length: 912
I0125 17:41:48.205182   26383 round_trippers.go:454]     Date: Tue, 25 Jan 2022 12:11:48 GMT
I0125 17:41:48.205195   26383 round_trippers.go:454]     Audit-Id: 78fc3717-638f-463a-bbd4-56ac871c36d7
I0125 17:41:48.205208   26383 round_trippers.go:454]     Cache-Control: no-cache, private
I0125 17:41:48.205299   26383 request.go:1107] Response Body: {"kind":"Service","apiVersion":"v1","metadata":{"name":"test2","namespace":"default","uid":"ed82e61b-16c8-42da-89d9-bd214903db49","resourceVersion":"125208","creationTimestamp":"2022-01-25T12:11:48Z","managedFields":[{"manager":"kubectl-create","operation":"Update","apiVersion":"v1","time":"2022-01-25T12:11:48Z","fieldsType":"FieldsV1","fieldsV1":{"f:spec":{"f:clusterIP":{},"f:internalTrafficPolicy":{},"f:ports":{".":{},"k:{\"port\":80,\"protocol\":\"TCP\"}":{".":{},"f:name":{},"f:port":{},"f:protocol":{},"f:targetPort":{}}},"f:selector":{},"f:sessionAffinity":{},"f:type":{}}}}]},"spec":{"ports":[{"name":"80","protocol":"TCP","port":80,"targetPort":80}],"selector":{"app":"test2"},"clusterIP":"172.30.001.009","clusterIPs":["172.30.001.009"],"type":"ClusterIP","sessionAffinity":"None","ipFamilies":["IPv4"],"ipFamilyPolicy":"SingleStack","internalTrafficPolicy":"Cluster"},"status":{"loadBalancer":{}}}
service/test2 created


oc get service test2 -n default
NAME    TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)   AGE
test2   ClusterIP   172.30.001.009   <none>        80/TCP    3m11s

Comment 8 errata-xmlrpc 2022-03-10 16:40:51 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:0056