-
Notifications
You must be signed in to change notification settings - Fork 38.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
e2e test for CVE-2021-29923 #107552
e2e test for CVE-2021-29923 #107552
Conversation
@aojea: This issue is currently awaiting triage. If a SIG or subproject determines this is a relevant issue, they will accept it by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
😅 I have to confirm if is coredns that is discarding the IP with leading zeros @chrisohaver |
Indeed coredns doesn't consider the ips valid ... this is going to be a chaos, hopefully nobody is using these addresses 🙃
|
Any CoreDnS release compiled with Go 1.17 will treat IPv4 with leading zeros as invalid. We started compiling releases with Go 1.17 in 1.8.5. From Go 1.17 Docs: https://golang.org/doc/go1.17#minor_library_changes
|
yeah, thanks for confirming, the good side is that users will be forced to update the IPs with leading zeros, despite the data being valid in kubernetes, the users will not be able to have a fully working cluster because DNS will not work ... if we add the rest of the networking ecosystem Ingresses, CNI plugins, ... that most probably are doing the same, we can think in removing the custom parsers after a few releases |
125abf4
to
956dc29
Compare
I've modified the test to fail only if it can't connect to the IP in decimal format but it can against the IP interpreted in octal format, that is just what the CVE describes |
9d23454
to
6d00b90
Compare
The e2e test checks that the component implementing Kubernetes Services interprets ClusterIPs with leading zeros as decimal, otherwise the cluster will be exposed to CVE-2021-29923.
6d00b90
to
ac9eec0
Compare
/retest |
/test pull-kubernetes-unit |
/remove-sig api-machinery |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
/approve
Are we going to let this go forever? It seems so brittle.
We know that rejecting these would likely break stored data.
We know that canonicalizing these could cause apply-loop problems.
We know that not doing anything is brittle.
Deciding not to decide is terrible. What if started canonicalizing IP strings. In general we don't want to do this, but I think the risk justifies it here. If we were to do this, would we also canonicalize IPv6 addresses?
}) | ||
|
||
// Try to get a free IP that has different decimal and binary interpretation with leading zeros. | ||
// Return both IPs, the one interpretad as binary and the one interpreted as decimal. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: s/binary/octal
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: aojea, thockin The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
I vote to wait until golang 1.16 is deprecated, check that no other project used the sloppy parsers and start a one year warning that the ips with zeros will be invalid. The data can be valid, but will be practicallly unusable , at minimum DNS will now work #107552 (comment) |
How does golang 1.16 really relate to this? It doesn't change existing
saved data or clients (not all of which are Go, of course).
…On Tue, Feb 8, 2022 at 11:19 AM Antonio Ojea ***@***.***> wrote:
Are we going to let this go forever? It seems so brittle
I vote to wait until golang 1.16 is deprecated, check that no other
project used the sloppy parsers and start a one year warning that the ips
with zeros will be invalid.
The data can be valid, but will be practicallly unusable , at minimum DNS
will now work #107552 (comment)
<#107552 (comment)>
—
Reply to this email directly, view it on GitHub
<#107552 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABKWAVBP35ZTXB6VIGR7DOTU2FUDPANCNFSM5L6UZQRA>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
You are receiving this because you were assigned.Message ID:
***@***.***>
|
I was looking what APIs were using the parsers, and I found these: kubernetes/test/integration/apiserver/cve_2021_29923_test.go Lines 56 to 64 in df53ae8
The data is not going to change, but people using that data will have to migrate it or DNS will not work, per example, and my observation is that all projects are upgrading to 1.17 choosing the new parsers and not to drop the IPs with leading zeros, so is just not DNS, is most of the networking features. gardener/gardener#4822 Actually, it seems that only openshift and kubernetes upstream are using the sloppy parsers https://grep.app/search?q=ParseIPSloppy&case=true I think that being strict about data compatibility is right, but in this case, is really unlikely that people is using IPs with leading zeros, but in case there is someone, it is more unlikely that those IPs keep working after go 1.16 is deprecated. I've also made a tool to detect this IPs on etcd dumps, https://github.com/aojea/funny-ip-etcd-detector I think that an exception can be made for this, with a proper announcement and having a reasonable period to minimize the risk, so we can move to the stdlib parsers. |
The Kubernetes project has merge-blocking tests that are currently too flaky to consistently pass. This bot retests PRs for certain kubernetes repos according to the following rules:
You can:
/retest |
The data is not going to change, but people using that data will have to
migrate it or DNS will not work, per example,
So we just let cordns take the blame for a breaking change?
#107552 (comment)
<#107552 (comment)>
and my observation is that all projects are upgrading to 1.17 choosing the
new parsers and not to drop the IPs with leading zeros, so is just not DNS,
is most of the networking features.
gardener/gardener#4822 <gardener/gardener#4822>
antrea-io/antrea#3189 <antrea-io/antrea#3189>
ovn-org/ovn-kubernetes#2784
<ovn-org/ovn-kubernetes#2784>
cilium/cilium#17190 <cilium/cilium#17190>
projectcalico/calico#5285
<projectcalico/calico#5285>
Actually, it seems that only openshift and kubernetes upstream are using
the sloppy parsers
https://grep.app/search?q=ParseIPSloppy&case=true
I'm torn. It's wrong but so is breaking users.
I think that being strict about data compatibility is right, but in this
case, is really unlikely that people is using IPs with leading zeros, but
in case there is someone, it is more unlikely that those IPs keep working
after go 1.16 is deprecated.
...because we are the only ones being careful about compat...
I think that an exception can be made for this, with a proper announcement
and having a reasonable period to minimize the risk, so we can move to the
stdlib parsers.
I don't think we should break saved data.
1) Maybe we can stop allowing creates with broken IPs. Probably. But we
will need warnings first.
2) Maybe we can stop allowing updates to broken IPs. Not sure, but perhaps.
3) Maybe we throw a condition or something when we read a broken IP.
4) Maybe canonicalize on read. It could cause apply-loops but it won't
break existing data
Maybe we should do (3) - log these, add a metric, set a condition - for a
release or 2. Then implement (1) and (2) in addition. Then finally
implement (4). It would require keeping the sloppy parsing logic at least
in the read-path.
|
I don't think that we are the only that care about compat, golang decided to break this compat for a good reason, and is to avoid exposing users to this problem of parsers misalignment, and so other projects are doing.
I always think that the compat promise is a contract and as any contract in negotiable, and in this case I can see that with enough notice is a reasonable break with a very minimum risk. My point is that I argue this saved data is valid, since as we can see, you are rolling a dice, depending on the consumer of the data, the IP can mean one thing or the other, and we are breaking for a good reasoning, avoiding users to be exposed to a very subtle security issue. The big problem here is not the api machinery, if we know "these are the fields" we can do any of the solutions you propose, but there is no "IP" field or an easy way to track what objects and fields are affected, you can have IPs in any string field, and we can end with some IPs allow zeros and others not 🤷 |
Just put yourself in the place of a cluster user whose stuff works on Monday, and stops working on Tuesday. You'd be in a panic. Now you find out "Kubernetes changed some policy" and the only place it was documented was in the cluster's release notes (which, as a user, I probably don't read). How unhappy are you?
You're not wrong, but I still think we should try, at least for all the things we know about. How about something like:
|
Sounds like a good plan 👍 ... I'm in |
The e2e test checks that the component implementing Kubernetes Services
interprets ClusterIPs with leading zeros as decimal, otherwise the
cluster will be exposed to CVE-2021-29923.
This also verifies the validation for Services.
The other objects that are susceptible to be vulnerable are Endpoints and EndpointSlices, but they commonly are auto generated, that makes it harder to test, so this test is a necessary but not sufficient condition.
/kind cleanup
Ref #100895