.. _ipaddress-hash-collisions: [CVE-2020-14422] Hash collisions in IPv4Interface and IPv6Interface =================================================================== .. warning:: This resource is maintained for historical reference and **does not contain the latest vulnerability info for Python**. The `canonical database for vulnerabilities affecting Python `_ is available on GitHub in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the `Open Source Vulnerability Database `_. In the ipaddress library there exists two classes IPv4Interface, and IPv6Interface. These classes' hash functions will always return 32 and 64 respectively. If IPv4Interface or IPv6Interface objects then are put in a dictionary, on for example a server storing IPs, this will cause hash collisions, which in turn can lead to DOS. Resolve hash collisions for IPv4Interface and IPv6Interface. The __hash__() methods of classes IPv4Interface and IPv6Interface had issue of generating constant hash values of 32 and 128 respectively causing hash collisions. The fix uses the hash() function to generate hash values for the objects instead of XOR operation. Dates: * Disclosure date: **2020-06-17** (Python issue bpo-41004 reported) Fixed In -------- * Python **3.5.10** (2020-09-05) fixed by `commit 11d258c (branch 3.5) `_ (2020-08-04) * Python **3.6.12** (2020-08-15) fixed by `commit cfc7ff8 (branch 3.6) `_ (2020-06-30) * Python **3.7.9** (2020-08-15) fixed by `commit b98e779 (branch 3.7) `_ (2020-06-30) * Python **3.8.4** (2020-07-13) fixed by `commit dc8ce8e (branch 3.8) `_ (2020-06-29) * Python **3.9.0** (2020-10-05) fixed by `commit 9a646aa (branch 3.9) `_ (2020-06-29) Python issue ------------ [CVE-2020-14422] Hash collisions in IPv4Interface and IPv6Interface. * Python issue: `bpo-41004 `_ * Creation date: 2020-06-17 * Reporter: martin wennberg CVE-2020-14422 -------------- Lib/ipaddress.py in Python through 3.8.3 improperly computes hash values in the IPv4Interface and IPv6Interface classes, which might allow a remote attacker to cause a denial of service if an application is affected by the performance of a dictionary containing IPv4Interface or IPv6Interface objects, and this attacker can cause many dictionary entries to be created. This is fixed in: v3.5.10, v3.5.10rc1; v3.6.12; v3.7.9; v3.8.4, v3.8.4rc1, v3.8.5, v3.8.6, v3.8.6rc1; v3.9.0, v3.9.0b4, v3.9.0b5, v3.9.0rc1, v3.9.0rc2. * CVE ID: `CVE-2020-14422 `_ * Published: 2020-06-18 * `CVSS Score `_: 4.3 Timeline -------- Timeline using the disclosure date **2020-06-17** as reference: * 2020-06-17: `Python issue bpo-41004 `_ reported by martin wennberg * 2020-06-18 (**+1 days**): CVE-2020-14422 published * 2020-06-29 (**+12 days**): `commit 9a646aa (branch 3.9) `_ * 2020-06-29 (**+12 days**): `commit dc8ce8e (branch 3.8) `_ * 2020-06-30 (**+13 days**): `commit b98e779 (branch 3.7) `_ * 2020-06-30 (**+13 days**): `commit cfc7ff8 (branch 3.6) `_ * 2020-07-13 (**+26 days**): Python 3.8.4 released * 2020-08-04 (**+48 days**): `commit 11d258c (branch 3.5) `_ * 2020-08-15 (**+59 days**): Python 3.6.12 released * 2020-08-15 (**+59 days**): Python 3.7.9 released * 2020-09-05 (**+80 days**): Python 3.5.10 released * 2020-10-05: Python 3.9.0 released