Bug 1854926 (CVE-2020-14422) - CVE-2020-14422 python: DoS via inefficiency in IPv{4,6}Interface classes
Summary: CVE-2020-14422 python: DoS via inefficiency in IPv{4,6}Interface classes
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-14422
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1854930 1854931 1854932 1854934 1854936 1854937 1854938 1854939 1854940 1854941 1854942 1854943 1856382 1856383 1856384 1856385 1856386 1857276 1857277 1857278 1857279 1857280 1857282 1857283 1857284 1857285 1857286 1857287 1857288 1857289 1857292 1857293 1857294 1858216 1885290
Blocks: 1854944 1854945
TreeView+ depends on / blocked
 
Reported: 2020-07-08 12:52 UTC by Dhananjay Arunesh
Modified: 2021-02-16 19:42 UTC (History)
35 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in the way the ipaddress python module computes hash values in the IPv4Interface and IPv6Interface classes. This flaw allows an attacker to create many dictionary entries, due to the performance of a dictionary containing the IPv4Interface or IPv6Interface objects, possibly resulting in a denial of service. The highest threat from this vulnerability is to system availability.
Clone Of:
Environment:
Last Closed: 2020-10-19 20:21:15 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:4285 0 None None None 2020-10-19 18:05:43 UTC
Red Hat Product Errata RHSA-2020:4299 0 None None None 2020-10-20 20:00:12 UTC
Red Hat Product Errata RHSA-2020:4433 0 None None None 2020-11-04 00:51:38 UTC
Red Hat Product Errata RHSA-2020:4641 0 None None None 2020-11-04 02:35:58 UTC
Red Hat Product Errata RHSA-2020:5010 0 None None None 2020-11-10 12:59:27 UTC

Description Dhananjay Arunesh 2020-07-08 12:52:24 UTC
A vulnerability was found in Lib/ipaddress.py in Python through 3.8.3 improperly computes hash values in the IPv4Interface and IPv6Interface classes, which might allow a remote attacker to cause a denial of service if an application is affected by the performance of a dictionary containing IPv4Interface or IPv6Interface objects, and this attacker can cause many dictionary entries to be created.

References:
https://bugs.python.org/issue41004
https://github.com/python/cpython/pull/20956

Comment 1 Dhananjay Arunesh 2020-07-08 12:56:50 UTC
Created mingw-python3 tracking bugs for this issue:

Affects: fedora-all [bug 1854936]


Created python2 tracking bugs for this issue:

Affects: fedora-all [bug 1854931]


Created python26 tracking bugs for this issue:

Affects: fedora-all [bug 1854934]


Created python27 tracking bugs for this issue:

Affects: fedora-all [bug 1854937]


Created python3 tracking bugs for this issue:

Affects: fedora-all [bug 1854932]


Created python34 tracking bugs for this issue:

Affects: epel-all [bug 1854930]
Affects: fedora-all [bug 1854938]


Created python35 tracking bugs for this issue:

Affects: fedora-all [bug 1854939]


Created python36 tracking bugs for this issue:

Affects: fedora-all [bug 1854940]


Created python37 tracking bugs for this issue:

Affects: fedora-all [bug 1854941]


Created python38 tracking bugs for this issue:

Affects: fedora-all [bug 1854942]


Created python39 tracking bugs for this issue:

Affects: fedora-all [bug 1854943]

Comment 4 Riccardo Schirone 2020-07-15 15:12:38 UTC
The hash value returned by IPv4Interface/IPv6Interface classes is wrongly a constant value. When an IPvXInterface object is used as key of a python dictionary, the hash value is used to determine in which hash table bucket the object needs to be put. For a large number of elements, the constant hash value transforms most dictionary operation in O(n) instead of the expected O(1), making a program much slower.

Comment 5 Riccardo Schirone 2020-07-15 15:14:01 UTC
python3 embeds the ipaddress module, where the flaw lies. Instead python2 does not embeds it, but a separate python-ipaddress package is provided. Moreover, the ipaddress module is usually embedded in python-pip as well.

Comment 6 Riccardo Schirone 2020-07-15 15:20:37 UTC
Statement:

In Red Hat Enterprise Linux, python3 includes the ipaddress module by default, while for python2 a separate package, python-ipaddress, needs to be installed for the module to be used. Moreover, the ipaddress module is included in other packages as well, like python-pip.

Comment 8 Riccardo Schirone 2020-07-15 15:31:17 UTC
Created python-ipaddress tracking bugs for this issue:

Affects: fedora-all [bug 1857292]


Created python-pip tracking bugs for this issue:

Affects: epel-all [bug 1857294]
Affects: fedora-all [bug 1857293]

Comment 9 Miro Hrončok 2020-07-15 15:59:30 UTC
Pip does not have dictionaries containing IPv4Interface or IPv6Interface objects. I don't think it's worth patching the bundled ipaddress module in it.

Comment 12 Riccardo Schirone 2020-07-17 09:21:58 UTC
Mitigation:

As a short term solution, if your application is using the IPv4Interface/IPv6Interface classes as keys of a dictionary, it is possible to patch the __hash__ method of those classes to not be constant.
```
IPv4Interface.__hash__ = lambda self: hash((self._ip, self._prefixlen, int(self.network.network_address)))
IPv6Interface.__hash__ = lambda self: hash((self._ip, self._prefixlen, int(self.network.network_address)))
```

Comment 18 errata-xmlrpc 2020-10-19 18:05:40 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2020:4285 https://access.redhat.com/errata/RHSA-2020:4285

Comment 19 Product Security DevOps Team 2020-10-19 20:21:15 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-14422

Comment 22 errata-xmlrpc 2020-10-20 20:00:07 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2020:4299 https://access.redhat.com/errata/RHSA-2020:4299

Comment 23 errata-xmlrpc 2020-11-04 00:51:35 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4433 https://access.redhat.com/errata/RHSA-2020:4433

Comment 24 errata-xmlrpc 2020-11-04 02:35:56 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4641 https://access.redhat.com/errata/RHSA-2020:4641

Comment 26 errata-xmlrpc 2020-11-10 12:59:24 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:5010 https://access.redhat.com/errata/RHSA-2020:5010


Note You need to log in before you can comment on or make changes to this bug.