Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation. This affects net.ParseIP and net.ParseCIDR. References: https://github.com/golang/go/issues/30999 https://github.com/golang/go/issues/43389 https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-016.md Upstream patch: https://go-review.googlesource.com/c/go/+/325829/
Created etcd tracking bugs for this issue: Affects: openstack-rdo [bug 1992008] Created golang tracking bugs for this issue: Affects: epel-all [bug 1992007] Affects: fedora-all [bug 1992009]
This an issue in GO that affects net.ParseCIDR POC https://play.golang.org/p/HpWqhr9tZ53, the function accepts any IP address and not checking for the prefix when a CIDR is used. Its also not rejecting an IP address that are leading with ZEROs
The upstream fix: https://go-review.googlesource.com/c/go/+/325829/ Added to the (not released yet) Go 1.17.0
Hi, does this imply all tools on all of our products / distros using net.ParseCIDR will need to be rebuilt with Go 1.17.0 ?
This issue has been addressed in the following products: Red Hat Developer Tools Via RHSA-2021:3431 https://access.redhat.com/errata/RHSA-2021:3431
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-29923
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:3585 https://access.redhat.com/errata/RHSA-2021:3585
This issue has been addressed in the following products: RHEL-8-CNV-2.6 RHEL-7-CNV-2.6 Via RHSA-2021:4722 https://access.redhat.com/errata/RHSA-2021:4722
This issue has been addressed in the following products: RHEL-8-CNV-2.6 Via RHSA-2021:4725 https://access.redhat.com/errata/RHSA-2021:4725
This issue has been addressed in the following products: RHACS-3.67-RHEL-8 Via RHSA-2021:4902 https://access.redhat.com/errata/RHSA-2021:4902
This issue has been addressed in the following products: RHEL-7-CNV-4.8 RHEL-8-CNV-4.8 Via RHSA-2021:4910 https://access.redhat.com/errata/RHSA-2021:4910
This issue has been addressed in the following products: RHEL-8-CNV-4.8 Via RHSA-2021:4914 https://access.redhat.com/errata/RHSA-2021:4914
This issue has been addressed in the following products: Red Hat OpenStack Platform 16.2 Via RHSA-2022:0237 https://access.redhat.com/errata/RHSA-2022:0237
This issue has been addressed in the following products: Red Hat OpenStack Platform 16.1 Via RHSA-2022:0260 https://access.redhat.com/errata/RHSA-2022:0260
This issue has been addressed in the following products: Red Hat Openshit distributed tracing 2.1 Via RHSA-2022:0318 https://access.redhat.com/errata/RHSA-2022:0318
This issue has been addressed in the following products: RHACS-3.68-RHEL-8 Via RHSA-2022:0431 https://access.redhat.com/errata/RHSA-2022:0431
This issue has been addressed in the following products: Openshift Serverless 1 on RHEL 8 Via RHSA-2022:0432 https://access.redhat.com/errata/RHSA-2022:0432
This issue has been addressed in the following products: Openshift Serveless 1.20 Via RHSA-2022:0434 https://access.redhat.com/errata/RHSA-2022:0434
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.9 Via RHSA-2022:0557 https://access.redhat.com/errata/RHSA-2022:0557
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.9 Via RHSA-2022:0561 https://access.redhat.com/errata/RHSA-2022:0561
This issue has been addressed in the following products: RHEL-8-CNV-4.10 Via RHSA-2022:0947 https://access.redhat.com/errata/RHSA-2022:0947
This issue has been addressed in the following products: Red Hat OpenStack Platform 16.2 Via RHSA-2022:0998 https://access.redhat.com/errata/RHSA-2022:0998
This issue has been addressed in the following products: Red Hat OpenStack Platform 16.2 Via RHSA-2022:0997 https://access.redhat.com/errata/RHSA-2022:0997
This issue has been addressed in the following products: Red Hat OpenStack Platform 16.1 Via RHSA-2022:0989 https://access.redhat.com/errata/RHSA-2022:0989
This issue has been addressed in the following products: Red Hat OpenStack Platform 16.1 Via RHSA-2022:0988 https://access.redhat.com/errata/RHSA-2022:0988
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.10 Via RHSA-2022:0577 https://access.redhat.com/errata/RHSA-2022:0577
This issue has been addressed in the following products: OpenShift Service Mesh 2.0 Via RHSA-2022:1276 https://access.redhat.com/errata/RHSA-2022:1276
This issue has been addressed in the following products: RHODF-4.10-RHEL-8 Via RHSA-2022:1372 https://access.redhat.com/errata/RHSA-2022:1372