Bug 1957458 (CVE-2021-29921) - CVE-2021-29921 python-ipaddress: Improper input validation of octal strings
Summary: CVE-2021-29921 python-ipaddress: Improper input validation of octal strings
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-29921
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1970504 1970505 1970506 1974304
Blocks: 1957459
TreeView+ depends on / blocked
 
Reported: 2021-05-05 19:35 UTC by Pedro Sampaio
Modified: 2021-11-10 00:21 UTC (History)
10 users (show)

Fixed In Version: python 3.9
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in python-ipaddress. Improper input validation of octal strings in stdlib ipaddress allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many programs that rely on Python stdlib ipaddress. The highest threat from this vulnerability is to data integrity and system availability.
Clone Of:
Environment:
Last Closed: 2021-11-10 00:21:59 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:3254 0 None None None 2021-08-24 08:09:18 UTC
Red Hat Product Errata RHSA-2021:4160 0 None None None 2021-11-09 17:27:14 UTC
Red Hat Product Errata RHSA-2021:4162 0 None None None 2021-11-09 17:28:24 UTC

Description Pedro Sampaio 2021-05-05 19:35:27 UTC 
Improper input validation of octal strings in Python 3.8.0 thru v3.10 stdlib
  ipaddress allows unauthenticated remote attackers to perform indeterminate
  SSRF, RFI, and LFI attacks on many programs that rely on Python stdlib
  ipaddress. IP address octects are left stripped instead of evaluated as
  valid IP addresses. For example, an attacker submitting an IP address to a
  web application that relies on stdlib ipaddress, could cause SSRF via
  inputting octal input data; An attacker can submit exploitable IP addresses
  if the octet is 3 digits, with the minimum exploitable octect being 08
  (Denial of Service) and the maximum exploitable octet is 099. For example,
  an attacker can submit 010.8.8.8, which is 8.8.8.8, yet Python ipaddress
  builtin will evaluate this as 10.8.8.8.

References:

https://bugs.python.org/issue36384#msg392423
Comment 1 Petr Viktorin (pviktori) 2021-05-06 08:01:49 UTC 
> an attacker can submit 010.8.8.8, which is 8.8.8.8

No, it is not. This is decimal-dot notation. According to [RFC 3986], "010.8.8.8" is confusing and causes security concerns. According to [Python documentation], "010.8.8.8" is 10.8.8.8. 
It is incorrect to to say "010.8.8.8" is 8.8.8.8.


[RFC 3986]: https://tools.ietf.org/html/rfc3986#section-7.4
[Python documentation]: https://docs.python.org/3/library/ipaddress.html#ipaddress.IPv4Address
Comment 2 Stefan Cornelius 2021-06-10 11:57:51 UTC 
Patch:
https://github.com/python/cpython/commit/60ce8f0be6354ad565393ab449d8de5d713f35bc
Comment 4 Stefan Cornelius 2021-06-10 15:26:11 UTC 
python 3.7 and older are not affected. our python-pips include an older version of ipaddress.py, which is not affected
Comment 5 Charalampos Stratakis 2021-06-11 13:12:17 UTC 
(In reply to Stefan Cornelius from comment #4)
> python 3.7 and newer are not affected. our python-pips include an older
> version of ipaddress.py, which is not affected

I suppose the wording should have been here about Python 3.7 and older?
Comment 6 prasanna_marathe 2021-06-21 10:23:49 UTC 
We are using RHEL7 python3 package, but this package is not listed in the CVE page (CVE-2021-29921), so are we affected by this vulnerability? 
At present, we are using python3.6.8
Comment 7 Pedro Sampaio 2021-06-24 19:52:23 UTC 
In reply to comment #4:
> python 3.7 and newer are not affected. our python-pips include an older
> version of ipaddress.py, which is not affected

Do you mean python 3.7 and older?
Comment 8 Stefan Cornelius 2021-06-30 19:06:59 UTC 
Sorry for the confusion: Python 3.7 and *older* are not affected. I've edited my comment above to reflect this.
Comment 9 errata-xmlrpc 2021-08-24 08:09:16 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2021:3254 https://access.redhat.com/errata/RHSA-2021:3254
Comment 10 errata-xmlrpc 2021-11-09 17:27:12 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4160 https://access.redhat.com/errata/RHSA-2021:4160
Comment 11 errata-xmlrpc 2021-11-09 17:28:22 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4162 https://access.redhat.com/errata/RHSA-2021:4162
Comment 12 Product Security DevOps Team 2021-11-10 00:21:56 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-29921
Note You need to log in before you can comment on or make changes to this bug.