Bug 2042493 - No way to verify if IPs with leading zeros are still valid in the apiserver
Summary: No way to verify if IPs with leading zeros are still valid in the apiserver
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: kube-apiserver
Version: 4.10
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.10.0
Assignee: Antonio Ojea
QA Contact: Rahul Gangwar
Depends On:
Blocks: 2043807 2073153
TreeView+ depends on / blocked
Reported: 2022-01-19 15:38 UTC by Antonio Ojea
Modified: 2022-04-08 12:38 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2022-03-10 16:40:51 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github openshift kubernetes pull 1124 0 None Merged Bug 2042493: UPSTREAM 107564: kube-apiserver integration test: allow IPs with leading zeros on the API 2022-01-24 15:49:11 UTC
Github openshift kubernetes pull 1129 0 None Merged Bug 2042493: UPSTREAM: <carry>: Fix conformance and serial tests by stopping node cordoning 2022-01-24 15:49:12 UTC
Red Hat Product Errata RHSA-2022:0056 0 None None None 2022-03-10 16:41:06 UTC

Description Antonio Ojea 2022-01-19 15:38:34 UTC
Add an integration test to verify that IPs with leading zeros are still allowed by the API server.
This test guarantee that data that was previous valid (containing IPs with leading zeros) remains valid.

Ref CVE-2021-29923

Comment 4 Rahul Gangwar 2022-01-25 12:21:02 UTC
oc get clusterversion
NAME      VERSION                              AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.10.0-0.nightly-2022-01-24-070025   True        False         5h37m   Cluster version is 4.10.0-0.nightly-2022-01-24-070025

Creating service with leading 0's in IP

apiVersion: v1
kind: Service
  name: test
  namespace: default
  - name: "80"
    port: 80
    protocol: TCP
    targetPort: 80
    app: test
  type: ClusterIP

oc create -f test.yaml --loglevel=9
I0125 17:41:47.104925   26383 loader.go:379] Config loaded from file:  /Users/rahulgangwar/office-work/kubeconfig/kube.124.txt
I0125 17:41:47.110959   26383 request.go:1107] Request Body: {"apiVersion":"v1","kind":"Service","metadata":{"name":"test2","namespace":"default"},"spec":{"clusterIP":"","ports":[{"name":"80","port":80,"protocol":"TCP","targetPort":80}],"selector":{"app":"test2"},"type":"ClusterIP"}}
I0125 17:41:47.111047   26383 round_trippers.go:425] curl -k -v -XPOST  -H "Content-Type: application/json" -H "User-Agent: oc/4.7.0 (darwin/amd64) kubernetes/9b9f77a" -H "Accept: application/json" 'https://api.rgangwar-25de.qe.devcluster.openshift.com:6443/api/v1/namespaces/default/services?fieldManager=kubectl-create'
I0125 17:41:48.205013   26383 round_trippers.go:445] POST https://api.rgangwar-25de.qe.devcluster.openshift.com:6443/api/v1/namespaces/default/services?fieldManager=kubectl-create 201 Created in 1093 milliseconds
I0125 17:41:48.205122   26383 round_trippers.go:451] Response Headers:
I0125 17:41:48.205150   26383 round_trippers.go:454]     Content-Type: application/json
I0125 17:41:48.205168   26383 round_trippers.go:454]     Content-Length: 912
I0125 17:41:48.205182   26383 round_trippers.go:454]     Date: Tue, 25 Jan 2022 12:11:48 GMT
I0125 17:41:48.205195   26383 round_trippers.go:454]     Audit-Id: 78fc3717-638f-463a-bbd4-56ac871c36d7
I0125 17:41:48.205208   26383 round_trippers.go:454]     Cache-Control: no-cache, private
I0125 17:41:48.205299   26383 request.go:1107] Response Body: {"kind":"Service","apiVersion":"v1","metadata":{"name":"test2","namespace":"default","uid":"ed82e61b-16c8-42da-89d9-bd214903db49","resourceVersion":"125208","creationTimestamp":"2022-01-25T12:11:48Z","managedFields":[{"manager":"kubectl-create","operation":"Update","apiVersion":"v1","time":"2022-01-25T12:11:48Z","fieldsType":"FieldsV1","fieldsV1":{"f:spec":{"f:clusterIP":{},"f:internalTrafficPolicy":{},"f:ports":{".":{},"k:{\"port\":80,\"protocol\":\"TCP\"}":{".":{},"f:name":{},"f:port":{},"f:protocol":{},"f:targetPort":{}}},"f:selector":{},"f:sessionAffinity":{},"f:type":{}}}}]},"spec":{"ports":[{"name":"80","protocol":"TCP","port":80,"targetPort":80}],"selector":{"app":"test2"},"clusterIP":"","clusterIPs":[""],"type":"ClusterIP","sessionAffinity":"None","ipFamilies":["IPv4"],"ipFamilyPolicy":"SingleStack","internalTrafficPolicy":"Cluster"},"status":{"loadBalancer":{}}}
service/test2 created

oc get service test2 -n default
test2   ClusterIP   <none>        80/TCP    3m11s

Comment 8 errata-xmlrpc 2022-03-10 16:40:51 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.