Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1854926 (CVE-2020-14422)

Summary: CVE-2020-14422 python: DoS via inefficiency in IPv{4,6}Interface classes
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: adev88, bdettelb, carl, cheimes, cstratak, dmalcolm, extras-orphan, hhorak, jdobes, jeffrey.ness, jorton, kevin, manisandro, m.cyprian, metherid, mhroncok, ncoghlan, npmccallum, pviktori, pwouters, python-maint, python-sig, rkuska, scorneli, shcherbina.iryna, slavek.kabrda, steve.traylen, tflink, thrnciar, TicoTimo, tkasparek, tomckay, tomspur, torsava, vstinner
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in the way the ipaddress python module computes hash values in the IPv4Interface and IPv6Interface classes. This flaw allows an attacker to create many dictionary entries, due to the performance of a dictionary containing the IPv4Interface or IPv6Interface objects, possibly resulting in a denial of service. The highest threat from this vulnerability is to system availability.
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-10-19 20:21:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1854930, 1854931, 1854932, 1854934, 1854936, 1854937, 1854938, 1854939, 1854940, 1854941, 1854942, 1854943, 1856382, 1856383, 1856384, 1856385, 1856386, 1857276, 1857277, 1857278, 1857279, 1857280, 1857282, 1857283, 1857284, 1857285, 1857286, 1857287, 1857288, 1857289, 1857292, 1857293, 1857294, 1858216, 1885290    
Bug Blocks:    

Description Dhananjay Arunesh 2020-07-08 12:52:24 UTC
A vulnerability was found in Lib/ipaddress.py in Python through 3.8.3 improperly computes hash values in the IPv4Interface and IPv6Interface classes, which might allow a remote attacker to cause a denial of service if an application is affected by the performance of a dictionary containing IPv4Interface or IPv6Interface objects, and this attacker can cause many dictionary entries to be created.

References:
https://bugs.python.org/issue41004
https://github.com/python/cpython/pull/20956

Comment 1 Dhananjay Arunesh 2020-07-08 12:56:50 UTC
Created mingw-python3 tracking bugs for this issue:

Affects: fedora-all [bug 1854936]


Created python2 tracking bugs for this issue:

Affects: fedora-all [bug 1854931]


Created python26 tracking bugs for this issue:

Affects: fedora-all [bug 1854934]


Created python27 tracking bugs for this issue:

Affects: fedora-all [bug 1854937]


Created python3 tracking bugs for this issue:

Affects: fedora-all [bug 1854932]


Created python34 tracking bugs for this issue:

Affects: epel-all [bug 1854930]
Affects: fedora-all [bug 1854938]


Created python35 tracking bugs for this issue:

Affects: fedora-all [bug 1854939]


Created python36 tracking bugs for this issue:

Affects: fedora-all [bug 1854940]


Created python37 tracking bugs for this issue:

Affects: fedora-all [bug 1854941]


Created python38 tracking bugs for this issue:

Affects: fedora-all [bug 1854942]


Created python39 tracking bugs for this issue:

Affects: fedora-all [bug 1854943]

Comment 4 Riccardo Schirone 2020-07-15 15:12:38 UTC
The hash value returned by IPv4Interface/IPv6Interface classes is wrongly a constant value. When an IPvXInterface object is used as key of a python dictionary, the hash value is used to determine in which hash table bucket the object needs to be put. For a large number of elements, the constant hash value transforms most dictionary operation in O(n) instead of the expected O(1), making a program much slower.

Comment 5 Riccardo Schirone 2020-07-15 15:14:01 UTC
python3 embeds the ipaddress module, where the flaw lies. Instead python2 does not embeds it, but a separate python-ipaddress package is provided. Moreover, the ipaddress module is usually embedded in python-pip as well.

Comment 6 Riccardo Schirone 2020-07-15 15:20:37 UTC
Statement:

In Red Hat Enterprise Linux, python3 includes the ipaddress module by default, while for python2 a separate package, python-ipaddress, needs to be installed for the module to be used. Moreover, the ipaddress module is included in other packages as well, like python-pip.

Comment 8 Riccardo Schirone 2020-07-15 15:31:17 UTC
Created python-ipaddress tracking bugs for this issue:

Affects: fedora-all [bug 1857292]


Created python-pip tracking bugs for this issue:

Affects: epel-all [bug 1857294]
Affects: fedora-all [bug 1857293]

Comment 9 Miro HronĨok 2020-07-15 15:59:30 UTC
Pip does not have dictionaries containing IPv4Interface or IPv6Interface objects. I don't think it's worth patching the bundled ipaddress module in it.

Comment 12 Riccardo Schirone 2020-07-17 09:21:58 UTC
Mitigation:

As a short term solution, if your application is using the IPv4Interface/IPv6Interface classes as keys of a dictionary, it is possible to patch the __hash__ method of those classes to not be constant.
```
IPv4Interface.__hash__ = lambda self: hash((self._ip, self._prefixlen, int(self.network.network_address)))
IPv6Interface.__hash__ = lambda self: hash((self._ip, self._prefixlen, int(self.network.network_address)))
```

Comment 18 errata-xmlrpc 2020-10-19 18:05:40 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2020:4285 https://access.redhat.com/errata/RHSA-2020:4285

Comment 19 Product Security DevOps Team 2020-10-19 20:21:15 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-14422

Comment 22 errata-xmlrpc 2020-10-20 20:00:07 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2020:4299 https://access.redhat.com/errata/RHSA-2020:4299

Comment 23 errata-xmlrpc 2020-11-04 00:51:35 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4433 https://access.redhat.com/errata/RHSA-2020:4433

Comment 24 errata-xmlrpc 2020-11-04 02:35:56 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4641 https://access.redhat.com/errata/RHSA-2020:4641

Comment 26 errata-xmlrpc 2020-11-10 12:59:24 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:5010 https://access.redhat.com/errata/RHSA-2020:5010