CVE-2021-29921
📋 TL;DR
The Python ipaddress library incorrectly interprets IP addresses with leading zeros in octets, treating them as octal numbers instead of decimal. This allows attackers to bypass IP-based access controls by crafting IP addresses that appear different to the library than to network systems. Affects Python applications using ipaddress for access control before version 3.9.5.
💻 Affected Systems
- Python
- Applications using Python ipaddress module
📦 What is this software?
Communications Cloud Native Core Automated Test Suite by Oracle
View all CVEs affecting Communications Cloud Native Core Automated Test Suite →
Communications Cloud Native Core Binding Support Function by Oracle
View all CVEs affecting Communications Cloud Native Core Binding Support Function →
Communications Cloud Native Core Network Slice Selection Function by Oracle
View all CVEs affecting Communications Cloud Native Core Network Slice Selection Function →
Graalvm by Oracle
Graalvm by Oracle
Python by Python
Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.
Learn more about Python →Python by Python
Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.
Learn more about Python →⚠️ Risk & Real-World Impact
Worst Case
Complete bypass of IP-based authentication and authorization systems, allowing unauthorized access to sensitive systems, data exfiltration, or privilege escalation.
Likely Case
Partial bypass of IP whitelisting/blacklisting controls, potentially allowing unauthorized API access, admin panel access, or resource access.
If Mitigated
Limited impact if additional authentication layers exist beyond IP-based controls, or if affected systems aren't internet-facing.
🎯 Exploit Status
Exploitation requires knowledge of IP-based access controls and ability to send requests with crafted IP addresses. No authentication needed if IP is the only control.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Python 3.9.5 and later
Vendor Advisory: https://bugs.python.org/issue36384
Restart Required: Yes
Instructions:
1. Upgrade Python to version 3.9.5 or later. 2. Restart all Python applications/services. 3. Test IP validation functionality after upgrade.
🔧 Temporary Workarounds
Custom IP validation
allImplement custom IP validation that strips leading zeros before passing to ipaddress module
import re
import ipaddress
def safe_ip_address(ip_str):
# Remove leading zeros from each octet
normalized = '.'.join(str(int(octet)) for octet in ip_str.split('.'))
return ipaddress.ip_address(normalized)
Network layer controls
allImplement IP filtering at network/firewall level instead of application level
🧯 If You Can't Patch
- Implement additional authentication layers beyond IP-based controls
- Monitor logs for unusual IP patterns and implement rate limiting
🔍 How to Verify
Check if Vulnerable:
Test if ipaddress.ip_address('010.010.010.010') returns same as ipaddress.ip_address('8.8.8.8') in Python <3.9.5Check Version:
python --versionVerify Fix Applied:
After upgrade, verify ipaddress.ip_address('010.010.010.010') raises ValueError in Python >=3.9.5📡 Detection & Monitoring
Log Indicators:
- Requests with IP addresses containing leading zeros (e.g., 010.0.0.1, 192.168.001.001)
- Successful authentication/access from unexpected IP ranges
Network Indicators:
- Traffic from IP addresses with leading zeros in requests
- Unusual access patterns bypassing expected IP restrictions
SIEM Query:
source_ip:/0[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/ OR http_user_agent:*010.*010.*010.*010*🔗 References
- https://bugs.python.org/issue36384
- https://docs.python.org/3/library/ipaddress.html
- https://github.com/python/cpython/blob/63298930fb531ba2bb4f23bc3b915dbf1e17e9e1/Misc/NEWS.d/3.8.0a4.rst
- https://github.com/python/cpython/pull/12577
- https://github.com/python/cpython/pull/25099
- https://github.com/sickcodes
- https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-014.md
- https://python-security.readthedocs.io/vuln/ipaddress-ipv4-leading-zeros.html
- https://security.gentoo.org/glsa/202305-02
- https://security.netapp.com/advisory/ntap-20210622-0003/
- https://sick.codes/sick-2021-014
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://bugs.python.org/issue36384
- https://docs.python.org/3/library/ipaddress.html
- https://github.com/python/cpython/blob/63298930fb531ba2bb4f23bc3b915dbf1e17e9e1/Misc/NEWS.d/3.8.0a4.rst
- https://github.com/python/cpython/pull/12577
- https://github.com/python/cpython/pull/25099
- https://github.com/sickcodes
- https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-014.md
- https://lists.debian.org/debian-lts-announce/2024/12/msg00000.html
- https://python-security.readthedocs.io/vuln/ipaddress-ipv4-leading-zeros.html
- https://security.gentoo.org/glsa/202305-02
- https://security.netapp.com/advisory/ntap-20210622-0003/
- https://sick.codes/sick-2021-014
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
