Bug 1992006 (CVE-2021-29923) - CVE-2021-29923 golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet
Summary: CVE-2021-29923 golang: net: incorrect parsing of extraneous zero characters a...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-29923
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1992008 1993110 1993111 1993112 1993113 1993114 1993115 1992001 1992002 1992003 1992007 1992009 1992903 1992904 1992905 1992906 1992907 1992908 1992909 1992910 1992911 1992912 1993314 1993315 1993316 1993411 1993412 1993413 1993414 1993415 1993416 1993417 1994008 1994010 1994510 1994511 1994512 1994513 1994514 1994515 1994516 1994517 1994518 1994519 1994522 1994523 1994524 1994525 1994526 1994527 1994528 1994529 1994530 1994531 1994532 1994533 1994534 1994535 1994536 1994537 1994538 1994539 1994540 1994541 1994542 1994543 1994544 1994546 1994547 1994548 1994549 1994550 1994551 1994552 1994553 1994554 1994555 1994556 1994557 1994558 1994559 1994560 1994561 1994562 1994563 1994564 1994565 1994566 1994567 1994568 1994569 1994570 1994571 1994572 1994573 1994574 1994575 1994576 1995212 1995213 1995214 1995215 1995216 1995217 1995218 1995219 1995220 1995221 1995222 1995223 1995225 1995227 1995328 1999241 1999242 1999243 1999359 2005060
Blocks: 1992010
TreeView+ depends on / blocked
 
Reported: 2021-08-10 14:27 UTC by Guilherme de Almeida Suckevicz
Modified: 2023-09-01 01:19 UTC (History)
132 users (show)

Fixed In Version: go 1.17.0
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in golang. Extraneous zero characters at the beginning of an IP address octet are not properly considered which could allow an attacker to bypass IP-based access controls. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Clone Of:
Environment:
Last Closed: 2021-09-07 14:33:30 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:3431 0 None None None 2021-09-07 08:36:08 UTC
Red Hat Product Errata RHSA-2021:3585 0 None None None 2021-09-21 08:41:21 UTC
Red Hat Product Errata RHSA-2021:4722 0 None None None 2021-11-17 15:35:43 UTC
Red Hat Product Errata RHSA-2021:4725 0 None None None 2021-11-17 18:39:58 UTC
Red Hat Product Errata RHSA-2021:4902 0 None None None 2021-12-01 17:24:04 UTC
Red Hat Product Errata RHSA-2021:4910 0 None None None 2021-12-02 14:25:12 UTC
Red Hat Product Errata RHSA-2021:4914 0 None None None 2021-12-02 17:00:53 UTC
Red Hat Product Errata RHSA-2022:0237 0 None None None 2022-01-24 13:51:19 UTC
Red Hat Product Errata RHSA-2022:0260 0 None None None 2022-01-25 13:53:51 UTC
Red Hat Product Errata RHSA-2022:0318 0 None None None 2022-01-27 16:56:38 UTC
Red Hat Product Errata RHSA-2022:0431 0 None None None 2022-02-03 15:13:19 UTC
Red Hat Product Errata RHSA-2022:0432 0 None None None 2022-02-03 16:07:47 UTC
Red Hat Product Errata RHSA-2022:0434 0 None None None 2022-02-03 18:25:09 UTC
Red Hat Product Errata RHSA-2022:0557 0 None None None 2022-02-23 12:51:09 UTC
Red Hat Product Errata RHSA-2022:0561 0 None None None 2022-02-23 13:55:58 UTC
Red Hat Product Errata RHSA-2022:0577 0 None None None 2022-03-28 09:36:19 UTC
Red Hat Product Errata RHSA-2022:0947 0 None None None 2022-03-16 15:49:57 UTC
Red Hat Product Errata RHSA-2022:0988 0 None None None 2022-03-24 10:58:10 UTC
Red Hat Product Errata RHSA-2022:0989 0 None None None 2022-03-24 10:57:15 UTC
Red Hat Product Errata RHSA-2022:0997 0 None None None 2022-03-23 22:27:43 UTC
Red Hat Product Errata RHSA-2022:0998 0 None None None 2022-03-23 22:27:18 UTC
Red Hat Product Errata RHSA-2022:1276 0 None None None 2022-04-07 17:58:54 UTC
Red Hat Product Errata RHSA-2022:1372 0 None None None 2022-04-13 18:49:15 UTC

Description Guilherme de Almeida Suckevicz 2021-08-10 14:27:44 UTC 
Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation. This affects net.ParseIP and net.ParseCIDR.

References:
https://github.com/golang/go/issues/30999
https://github.com/golang/go/issues/43389
https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-016.md

Upstream patch:
https://go-review.googlesource.com/c/go/+/325829/
Comment 1 Guilherme de Almeida Suckevicz 2021-08-10 14:28:26 UTC 
Created etcd tracking bugs for this issue:

Affects: openstack-rdo [bug 1992008]


Created golang tracking bugs for this issue:

Affects: epel-all [bug 1992007]
Affects: fedora-all [bug 1992009]
Comment 2 lnacshon 2021-08-11 11:05:06 UTC 
This an issue in GO that affects net.ParseCIDR POC https://play.golang.org/p/HpWqhr9tZ53, the function accepts any IP address and not checking for the prefix when a CIDR is used. Its also not rejecting an IP address that are leading with ZEROs
Comment 3 Przemyslaw Roguski 2021-08-11 19:04:18 UTC 
The upstream fix:
https://go-review.googlesource.com/c/go/+/325829/
Added to the (not released yet) Go 1.17.0
Comment 4 Lokesh Mandvekar 2021-08-11 20:37:58 UTC 
Hi, does this imply all tools on all of our products / distros using net.ParseCIDR will need to be rebuilt with Go 1.17.0 ?
Comment 29 errata-xmlrpc 2021-09-07 08:36:03 UTC 
This issue has been addressed in the following products:

  Red Hat Developer Tools

Via RHSA-2021:3431 https://access.redhat.com/errata/RHSA-2021:3431
Comment 30 Product Security DevOps Team 2021-09-07 14:33:30 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-29923
Comment 31 errata-xmlrpc 2021-09-21 08:41:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:3585 https://access.redhat.com/errata/RHSA-2021:3585
Comment 32 errata-xmlrpc 2021-11-17 15:35:37 UTC 
This issue has been addressed in the following products:

  RHEL-8-CNV-2.6
  RHEL-7-CNV-2.6

Via RHSA-2021:4722 https://access.redhat.com/errata/RHSA-2021:4722
Comment 33 errata-xmlrpc 2021-11-17 18:39:54 UTC 
This issue has been addressed in the following products:

  RHEL-8-CNV-2.6

Via RHSA-2021:4725 https://access.redhat.com/errata/RHSA-2021:4725
Comment 34 errata-xmlrpc 2021-12-01 17:24:00 UTC 
This issue has been addressed in the following products:

  RHACS-3.67-RHEL-8

Via RHSA-2021:4902 https://access.redhat.com/errata/RHSA-2021:4902
Comment 35 errata-xmlrpc 2021-12-02 14:25:07 UTC 
This issue has been addressed in the following products:

  RHEL-7-CNV-4.8
  RHEL-8-CNV-4.8

Via RHSA-2021:4910 https://access.redhat.com/errata/RHSA-2021:4910
Comment 36 errata-xmlrpc 2021-12-02 17:00:47 UTC 
This issue has been addressed in the following products:

  RHEL-8-CNV-4.8

Via RHSA-2021:4914 https://access.redhat.com/errata/RHSA-2021:4914
Comment 37 errata-xmlrpc 2022-01-24 13:51:13 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2022:0237 https://access.redhat.com/errata/RHSA-2022:0237
Comment 38 errata-xmlrpc 2022-01-25 13:53:45 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.1

Via RHSA-2022:0260 https://access.redhat.com/errata/RHSA-2022:0260
Comment 39 errata-xmlrpc 2022-01-27 16:56:32 UTC 
This issue has been addressed in the following products:

  Red Hat Openshit distributed tracing 2.1

Via RHSA-2022:0318 https://access.redhat.com/errata/RHSA-2022:0318
Comment 40 errata-xmlrpc 2022-02-03 15:13:11 UTC 
This issue has been addressed in the following products:

  RHACS-3.68-RHEL-8

Via RHSA-2022:0431 https://access.redhat.com/errata/RHSA-2022:0431
Comment 41 errata-xmlrpc 2022-02-03 16:07:40 UTC 
This issue has been addressed in the following products:

  Openshift Serverless 1 on RHEL 8

Via RHSA-2022:0432 https://access.redhat.com/errata/RHSA-2022:0432
Comment 42 errata-xmlrpc 2022-02-03 18:25:02 UTC 
This issue has been addressed in the following products:

  Openshift Serveless 1.20

Via RHSA-2022:0434 https://access.redhat.com/errata/RHSA-2022:0434
Comment 45 errata-xmlrpc 2022-02-23 12:51:02 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.9

Via RHSA-2022:0557 https://access.redhat.com/errata/RHSA-2022:0557
Comment 46 errata-xmlrpc 2022-02-23 13:55:53 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.9

Via RHSA-2022:0561 https://access.redhat.com/errata/RHSA-2022:0561
Comment 50 errata-xmlrpc 2022-03-16 15:49:50 UTC 
This issue has been addressed in the following products:

  RHEL-8-CNV-4.10

Via RHSA-2022:0947 https://access.redhat.com/errata/RHSA-2022:0947
Comment 51 errata-xmlrpc 2022-03-23 22:27:12 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2022:0998 https://access.redhat.com/errata/RHSA-2022:0998
Comment 52 errata-xmlrpc 2022-03-23 22:27:38 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2022:0997 https://access.redhat.com/errata/RHSA-2022:0997
Comment 53 errata-xmlrpc 2022-03-24 10:57:09 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.1

Via RHSA-2022:0989 https://access.redhat.com/errata/RHSA-2022:0989
Comment 54 errata-xmlrpc 2022-03-24 10:58:05 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.1

Via RHSA-2022:0988 https://access.redhat.com/errata/RHSA-2022:0988
Comment 55 errata-xmlrpc 2022-03-28 09:36:12 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.10

Via RHSA-2022:0577 https://access.redhat.com/errata/RHSA-2022:0577
Comment 56 errata-xmlrpc 2022-04-07 17:58:48 UTC 
This issue has been addressed in the following products:

  OpenShift Service Mesh 2.0

Via RHSA-2022:1276 https://access.redhat.com/errata/RHSA-2022:1276
Comment 57 errata-xmlrpc 2022-04-13 18:49:08 UTC 
This issue has been addressed in the following products:

  RHODF-4.10-RHEL-8

Via RHSA-2022:1372 https://access.redhat.com/errata/RHSA-2022:1372
Note You need to log in before you can comment on or make changes to this bug.