[OSSA 2013-004] DoS through XML entity expansion (CVE-2013-1664)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Cinder |
Fix Released
|
High
|
Dan Prince | ||
Folsom |
Fix Released
|
High
|
Dan Prince | ||
OpenStack Compute (nova) |
Fix Released
|
High
|
Dan Prince | ||
Folsom |
Fix Released
|
High
|
Dan Prince | ||
OpenStack Identity (keystone) |
Fix Released
|
High
|
Dolph Mathews | ||
Essex |
Fix Released
|
High
|
Dan Prince | ||
Folsom |
Fix Released
|
High
|
Dolph Mathews | ||
OpenStack Security Advisory |
Fix Released
|
Undecided
|
Thierry Carrez | ||
neutron |
Fix Released
|
High
|
Davanum Srinivas (DIMS) | ||
oslo-incubator |
Fix Released
|
High
|
Davanum Srinivas (DIMS) | ||
Grizzly |
Fix Released
|
High
|
Davanum Srinivas (DIMS) |
Bug Description
Jonathan Murray from NCC Group reported that you can DoS keystone servers using XML entities in Keystone requests.
[ Joshua Harlow from Yahoo! independently reported the same issue plaguing Nova (using minidom). ]
POST /v2.0/tokens HTTP/1.1
content-type: application/xml
<!DOCTYPE foo [
<!ENTITY a "AAAA lots of As AAAAAAAAAAAAAAA
<!ENTITY b "&a;&a;
<!ENTITY c "&b;&b;
]>
<auth>
<tenantName>
<passwordCreden
<username>
<username>
<username>
<username>
<password>
<somethingElse>
<somethingElse1
<somethingElse2
</passwordCrede
</auth>
In that precise case it might be an issue with the XML library we use, although it sounds generally safer to disable parsing ENTITY blocks entirely if we can.
CVE References
Changed in keystone: | |
status: | New → Confirmed |
assignee: | nobody → Dolph Mathews (dolph) |
Changed in keystone: | |
milestone: | none → 2012.2.3 |
Changed in keystone: | |
milestone: | 2012.2.3 → none |
Changed in cinder: | |
status: | New → Confirmed |
importance: | Undecided → High |
Changed in quantum: | |
status: | New → Confirmed |
importance: | Undecided → High |
Changed in keystone: | |
status: | Confirmed → Triaged |
Changed in nova: | |
assignee: | nobody → Dan Prince (dan-prince) |
Changed in nova: | |
status: | Confirmed → In Progress |
Changed in cinder: | |
assignee: | nobody → Dan Prince (dan-prince) |
status: | Confirmed → In Progress |
Changed in oslo: | |
importance: | Undecided → High |
summary: |
- DoS through XML entity expansion + DoS through XML entity expansion (CVE-2013-1664) |
Changed in oslo: | |
assignee: | nobody → Dan Prince (dan-prince) |
Changed in quantum: | |
assignee: | nobody → Dan Prince (dan-prince) |
information type: | Private Security → Public Security |
Changed in keystone: | |
milestone: | none → grizzly-3 |
status: | Fix Committed → Fix Released |
Changed in nova: | |
milestone: | none → grizzly-3 |
status: | Fix Committed → Fix Released |
Changed in cinder: | |
milestone: | none → grizzly-3 |
status: | Fix Committed → Fix Released |
Changed in quantum: | |
milestone: | none → grizzly-rc1 |
Changed in oslo: | |
milestone: | none → grizzly-rc1 |
Changed in quantum: | |
status: | Fix Committed → Fix Released |
Changed in oslo: | |
status: | Fix Committed → Fix Released |
Changed in keystone: | |
milestone: | grizzly-3 → 2013.1 |
Changed in quantum: | |
milestone: | grizzly-rc1 → 2013.1 |
Changed in nova: | |
milestone: | grizzly-3 → 2013.1 |
Changed in cinder: | |
milestone: | grizzly-3 → 2013.1 |
summary: |
- DoS through XML entity expansion (CVE-2013-1664) + [OSSA 2013-004] DoS through XML entity expansion (CVE-2013-1664) |
Changed in ossa: | |
assignee: | nobody → Thierry Carrez (ttx) |
status: | New → Fix Released |
no longer affects: | nova/essex |
information type: | Public Security → Private Security |
information type: | Private Security → Private |
information type: | Private → Public Security |
Looks like we could pass an etree.XMLParser with resolve_ entities= False to etree.fromstring. Thoughts ?