[IntelMQ-users] IntelMQ also impacted by Python 3.8 IP address parsing bug (CVE-2021-29921)

Sebastian Wagner wagner at cert.at
Mon May 3 15:57:06 CEST 2021


Dear all,

you may have heard about a parsing bug/vulnerability in Python's
ipaddress module. Only Python version >= 3.8 are affected. The bug
affects the handling of addresses in octal notation

The sources below have more details on the error, but in principle it
means that the leading zeros of IP address in octal notation are
stripped and the rest is parsed decimal. The correct behavior would have
been that the numbers starting with zeros are parsed as octal. You can
also see the (erroneous) changes in the documentation:
https://docs.python.org/3/library/ipaddress.html#ipaddress.IPv4Address
("Changed in version 3.8" and "Changed in version 3.10"). There no fix
yet for this bug, but you should receive it soon from your distribution.

As an IntelMQ user, you need to trust your input sources anyway, or
check the validity of the collected data. If any feed gives you IP
addresses with leading zeros, the outcome may be unexpected.

Further sources:

https://www.bleepingcomputer.com/news/security/python-also-impacted-by-critical-ip-address-validation-vulnerability/
https://sick.codes/sick-2021-014/

best regards
Sebastian

-- 
// Sebastian Wagner <wagner at cert.at> - T: +43 676 898 298 7201
// CERT Austria - https://www.cert.at/
// Eine Initiative der nic.at GmbH - https://www.nic.at/
// Firmenbuchnummer 172568b, LG Salzburg

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cert.at/pipermail/intelmq-users/attachments/20210503/2eb55bdd/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/intelmq-users/attachments/20210503/2eb55bdd/attachment.sig>


More information about the IntelMQ-users mailing list