[CVE-2020-14422] Hash collisions in IPv4Interface and IPv6Interface¶
In the ipaddress library there exists two classes IPv4Interface, and IPv6Interface. These classes’ hash functions will always return 32 and 64 respectively. If IPv4Interface or IPv6Interface objects then are put in a dictionary, on for example a server storing IPs, this will cause hash collisions, which in turn can lead to DOS.
Resolve hash collisions for IPv4Interface and IPv6Interface. The __hash__() methods of classes IPv4Interface and IPv6Interface had issue of generating constant hash values of 32 and 128 respectively causing hash collisions. The fix uses the hash() function to generate hash values for the objects instead of XOR operation.
- Disclosure date: 2020-06-17 (Python issue bpo-41004 reported)
- Python 3.5.10 (2020-09-05) fixed by commit 11d258c (branch 3.5) (2020-08-04)
- Python 3.6.12 (2020-08-15) fixed by commit cfc7ff8 (branch 3.6) (2020-06-30)
- Python 3.7.9 (2020-08-15) fixed by commit b98e779 (branch 3.7) (2020-06-30)
- Python 3.8.4 (2020-07-13) fixed by commit dc8ce8e (branch 3.8) (2020-06-29)
- Python 3.9.0 (2020-10-05) fixed by commit 9a646aa (branch 3.9) (2020-06-29)
[CVE-2020-14422] Hash collisions in IPv4Interface and IPv6Interface.
- Python issue: bpo-41004
- Creation date: 2020-06-17
- Reporter: martin wennberg
Lib/ipaddress.py in Python through 3.8.3 improperly computes hash values in the IPv4Interface and IPv6Interface classes, which might allow a remote attacker to cause a denial of service if an application is affected by the performance of a dictionary containing IPv4Interface or IPv6Interface objects, and this attacker can cause many dictionary entries to be created. This is fixed in: v3.5.10, v3.5.10rc1; v3.6.12; v3.7.9; v3.8.4, v3.8.4rc1, v3.8.5, v3.8.6, v3.8.6rc1; v3.9.0, v3.9.0b4, v3.9.0b5, v3.9.0rc1, v3.9.0rc2.
Timeline using the disclosure date 2020-06-17 as reference:
- 2020-06-17: Python issue bpo-41004 reported by martin wennberg
- 2020-06-18 (+1 days): CVE-2020-14422 published
- 2020-06-29 (+12 days): commit 9a646aa (branch 3.9)
- 2020-06-29 (+12 days): commit dc8ce8e (branch 3.8)
- 2020-06-30 (+13 days): commit b98e779 (branch 3.7)
- 2020-06-30 (+13 days): commit cfc7ff8 (branch 3.6)
- 2020-07-13 (+26 days): Python 3.8.4 released
- 2020-08-04 (+48 days): commit 11d258c (branch 3.5)
- 2020-08-15 (+59 days): Python 3.6.12 released
- 2020-08-15 (+59 days): Python 3.7.9 released
- 2020-09-05 (+80 days): Python 3.5.10 released
- 2020-10-05: Python 3.9.0 released