Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Minor
Fix Version/s: 2.3.0.Alpha1, 2.3.0.Final, 2.2.18.Final
Affects Version/s: None
Component/s: None
Labels:
None

Steps to Reproduce:
Hide

Configure an ip address filter with a netmask e.g. "85.112.112.58/29 allow"

Try to connect from the ip address 85.112.112.58 => access is denied

Or in add this test to IPAddressAccessControlHandlerUnitTestCase.java

@Test public void testIPv4SlashMatchDefaultDeny() throws UnknownHostException { IPAddressAccessControlHandler handler = new IPAddressAccessControlHandler() .setDefaultAllow(false) .addAllow("85.112.112.58/29"); Assert.assertTrue(handler.isAllowed(InetAddress.getByName("85.112.112.58"))); }
Show
Configure an ip address filter with a netmask e.g. "85.112.112.58/29 allow" Try to connect from the ip address 85.112.112.58 => access is denied Or in add this test to IPAddressAccessControlHandlerUnitTestCase.java @Test public void testIPv4SlashMatchDefaultDeny() throws UnknownHostException { IPAddressAccessControlHandler handler = new IPAddressAccessControlHandler() .setDefaultAllow( false ) .addAllow( "85.112.112.58/29" ); Assert.assertTrue(handler.isAllowed(InetAddress.getByName( "85.112.112.58" ))); }
Workaround:

Workaround Exists
Workaround Description:

Hide

Instead of configuring ip-address/mask one can pass an adjusted ip address with the mask already applied, .e.g:

Original setting

85.112.112.58/29

IP address in binary: 01010101 01110000 01110000 001110 1 0

Workaround setting

85.112.112.56/29

IP address in binary: 01010101 01110000 01110000 001110 0 0

Binary netmask is 11111111 11111111 11111111 11111000 in both cases

Show
Instead of configuring ip-address/mask one can pass an adjusted ip address with the mask already applied, .e.g: Original setting 85.112.112. 58 /29 IP address in binary: 01010101 01110000 01110000 001110 1 0 Workaround setting 85.112.112. 56 /29 IP address in binary: 01010101 01110000 01110000 001110 0 0 Binary netmask is 11111111 11111111 11111111 11111000 in both cases
Git Pull Request:
https://github.com/undertow-io/undertow/pull/1314, https://github.com/undertow-io/undertow/pull/1336

When configuring an ip address filter with netmask it may not work as expected.

In our case we configured an ip address filter to allow specific IPs to access special URLs in our keycloak instances - but access was still denied.

We could nail down the issue to the undertow source code.

Maybe this could be solved by adding just one line to IPAddressAccessControlHandler.java:

 private void addIpV4SlashPrefix(final String peer, final boolean deny) {
        String[] components = peer.split("\\/");
        String[] parts = components[0].split("\\.");
        int maskLen = Integer.parseInt(components[1]);
        final int mask = Bits.intBitMask(32 - maskLen, 31);
        int prefix = 0;
        for (int i = 0; i < 4; ++i) {
            prefix <<= 8;
            String part = parts[i];
            int no = Integer.parseInt(part);
            prefix |= no;
        }
        prefix &= mask; // <-- adding this line fixes the tests
        ipv4acl.add(new PrefixIpV4PeerMatch(deny, peer, mask, prefix));
    }

is incorporated by

WFCORE-6057 Upgrade Undertow to 2.3.0.Final (CVE-2022-2764)

Closed

WFCORE-5946 Upgrade Undertow to 2.2.18.Final

Closed

Assignee:: Bartosz Baranowski

Reporter:: Jörg Matysiak (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Created:: 2022/04/12 10:58 AM

Updated:: 2022/12/09 11:26 AM

Resolved:: 2022/06/01 8:47 AM

Details

Original setting

Workaround setting

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates