IntelMQ also impacted by Python 3.8 IP address parsing bug (CVE-2021-29921) - IntelMQ-users

3 May 2021


      Dear all,
you may have heard about a parsing bug/vulnerability in Python's
ipaddress module. Only Python version >= 3.8 are affected. The bug
affects the handling of addresses in octal notation
The sources below have more details on the error, but in principle it
means that the leading zeros of IP address in octal notation are
stripped and the rest is parsed decimal. The correct behavior would have
been that the numbers starting with zeros are parsed as octal. You can
also see the (erroneous) changes in the documentation:
https://docs.python.org/3/library/ipaddress.html#ipaddress.IPv4Address
("Changed in version 3.8" and "Changed in version 3.10"). There no fix
yet for this bug, but you should receive it soon from your distribution.
As an IntelMQ user, you need to trust your input sources anyway, or
check the validity of the collected data. If any feed gives you IP
addresses with leading zeros, the outcome may be unexpected.
Further sources:
https://www.bleepingcomputer.com/news/security/python-also-impacted-by-criti...
https://sick.codes/sick-2021-014/
best regards
Sebastian
-- 
// Sebastian Wagner wagner@cert.at - T: +43 676 898 298 7201
// CERT Austria - https://www.cert.at/
// Eine Initiative der nic.at GmbH - https://www.nic.at/
// Firmenbuchnummer 172568b, LG Salzburg