New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Deprecate IPs with Leading Zeros ( CVE-2021-29923 ) #108074
Comments
@aojea: This issue is currently awaiting triage. If a SIG or subproject determines this is a relevant issue, they will accept it by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
requesting input from @liggitt about the proposal I think that this are the only places that use the parsers for validation kubernetes/test/integration/apiserver/cve_2021_29923_test.go Lines 56 to 64 in df53ae8
|
not sure of all the types it propagates into, but these are the call sites I'd chase to APIs to understand exposure:
|
Yes
log/metric (and even warning) seem ok... less sure about writing to the API object
Probably ok, though can get pretty messy (pod spec and service immutability on update are particularly messy)
Can use the existing pattern of plumbing validation opts into validation, and setting whether to tolerate based on the presence of leading-zero IPs/CIDRs in the existing object
I'm less certain about fix-on-read after the experience in #107847 (comment) |
But that's all patched up now :) |
can you add:
|
They should use the non-sloppy functions in their validation functions but for now we should probably still require people to use the sloppy functions everywhere else, just for consistency / not needing to think about it. (If the field has been validated to have no leading zeros then it's guaranteed that ParseIP() and ParseIPSloppy() will give the same results later on, so using the sloppy function on "non-sloppy" data is fine.) Longer term this ties into the whole "migrating to new golang 1.18 IP type/APIs" thing |
``` +==============================================================================+ | | | /$$$$$$ /$$ | | /$$__ $$ | $$ | | /$$$$$$$ /$$$$$$ | $$ \__//$$$$$$ /$$$$$$ /$$ /$$ | | /$$_____/ |____ $$| $$$$ /$$__ $$|_ $$_/ | $$ | $$ | | | $$$$$$ /$$$$$$$| $$_/ | $$$$$$$$ | $$ | $$ | $$ | | \____ $$ /$$__ $$| $$ | $$_____/ | $$ /$$| $$ | $$ | | /$$$$$$$/| $$$$$$$| $$ | $$$$$$$ | $$$$/| $$$$$$$ | | |_______/ \_______/|__/ \_______/ \___/ \____ $$ | | /$$ | $$ | | | $$$$$$/ | | by pyup.io \______/ | | | +==============================================================================+ | REPORT | | checked 30 packages, using free DB (updated once a month) | +============================+===========+==========================+==========+ | package | installed | affected | ID | +============================+===========+==========================+==========+ | kubernetes | 23.3.0 | >0 | 45114 | +==============================================================================+ | Kubernetes (python client) uses Kubernetes API, which has an unfixed | | vulnerability, CVE-2021-29923: Go before 1.17 does not properly consider | | extraneous zero characters at the beginning of an IP address octet, which | | (in some situations) allows attackers to bypass access control that is based | | on IP addresses, because of unexpected octal interpretation. This affects | | net.ParseIP and net.ParseCIDR. Kubernetes interprets leading zeros on IPv4 | | addresses as decimal to keep backwards compatibility, but users relying on | | parser alignment will be impacted by this CVE. | | kubernetes/kubernetes#104368 | | kubernetes/kubernetes#108074 | +==============================================================================+ ```
``` +==============================================================================+ | | | /$$$$$$ /$$ | | /$$__ $$ | $$ | | /$$$$$$$ /$$$$$$ | $$ \__//$$$$$$ /$$$$$$ /$$ /$$ | | /$$_____/ |____ $$| $$$$ /$$__ $$|_ $$_/ | $$ | $$ | | | $$$$$$ /$$$$$$$| $$_/ | $$$$$$$$ | $$ | $$ | $$ | | \____ $$ /$$__ $$| $$ | $$_____/ | $$ /$$| $$ | $$ | | /$$$$$$$/| $$$$$$$| $$ | $$$$$$$ | $$$$/| $$$$$$$ | | |_______/ \_______/|__/ \_______/ \___/ \____ $$ | | /$$ | $$ | | | $$$$$$/ | | by pyup.io \______/ | | | +==============================================================================+ | REPORT | | checked 5 packages, using free DB (updated once a month) | +============================+===========+==========================+==========+ | package | installed | affected | ID | +============================+===========+==========================+==========+ | kubernetes | 23.3.0 | >0 | 45114 | +==============================================================================+ | Kubernetes (python client) uses Kubernetes API, which has an unfixed | | vulnerability, CVE-2021-29923: Go before 1.17 does not properly consider | | extraneous zero characters at the beginning of an IP address octet, which | | (in some situations) allows attackers to bypass access control that is based | | on IP addresses, because of unexpected octal interpretation. This affects | | net.ParseIP and net.ParseCIDR. Kubernetes interprets leading zeros on IPv4 | | addresses as decimal to keep backwards compatibility, but users relying on | | parser alignment will be impacted by this CVE. | | kubernetes/kubernetes#104368 | | kubernetes/kubernetes#108074 | +==============================================================================+ ```
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
|
|
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle rotten |
I'm working for migrating Services IPs as part of |
Wondering if maybe we need a KEP here, but...
|
omg
|
The question witht his proposal is whether we have the stomach to do step 6 - actually reject ill-formed IPs (in new usage) even when they USED TO work. Will it actually break anyone? It seems unlikely but that's not the bar. |
/assign @danwinship |
To summarize the situation:
We are in a situation where users can have IPs with leading zeros in their API objects, but may not be able to use it because the CNI, DNS, Ingress, ... implementation doesn't consider it valid
The proposal is (quoting thockin)
Originally posted by @thockin in #107552 (comment)
The text was updated successfully, but these errors were encountered: