[OSSA 2013-004] DoS through XML entity expansion (CVE-2013-1664)
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Cinder |
Fix Released
|
High
|
Dan Prince | ||
| Folsom |
Fix Released
|
High
|
Dan Prince | ||
| OpenStack Compute (nova) |
Fix Released
|
High
|
Dan Prince | ||
| Folsom |
Fix Released
|
High
|
Dan Prince | ||
| OpenStack Identity (keystone) |
Fix Released
|
High
|
Dolph Mathews | ||
| Essex |
Fix Released
|
High
|
Dan Prince | ||
| Folsom |
Fix Released
|
High
|
Dolph Mathews | ||
| OpenStack Security Advisory |
Fix Released
|
Undecided
|
Thierry Carrez | ||
| neutron |
Fix Released
|
High
|
Davanum Srinivas (DIMS) | ||
| oslo-incubator |
Fix Released
|
High
|
Davanum Srinivas (DIMS) | ||
| Grizzly |
Fix Released
|
High
|
Davanum Srinivas (DIMS) | ||
Bug Description
Jonathan Murray from NCC Group reported that you can DoS keystone servers using XML entities in Keystone requests.
[ Joshua Harlow from Yahoo! independently reported the same issue plaguing Nova (using minidom). ]
POST /v2.0/tokens HTTP/1.1
content-type: application/xml
<!DOCTYPE foo [
<!ENTITY a "AAAA lots of As AAAAAAAAAAAAAAA
<!ENTITY b "&a;&a;
<!ENTITY c "&b;&b;
]>
<auth>
<tenantName>
<passwordCreden
<username>
<username>
<username>
<username>
<password>
<somethingElse>
<somethingElse1
<somethingElse2
</passwordCrede
</auth>
In that precise case it might be an issue with the XML library we use, although it sounds generally safer to disable parsing ENTITY blocks entirely if we can.
CVE References
| Changed in keystone: | |
| status: | New → Confirmed |
| assignee: | nobody → Dolph Mathews (dolph) |
| Changed in keystone: | |
| milestone: | none → 2012.2.3 |
| Changed in keystone: | |
| milestone: | 2012.2.3 → none |
| Changed in cinder: | |
| status: | New → Confirmed |
| importance: | Undecided → High |
| Changed in quantum: | |
| status: | New → Confirmed |
| importance: | Undecided → High |
| Changed in keystone: | |
| status: | Confirmed → Triaged |
| Changed in nova: | |
| assignee: | nobody → Dan Prince (dan-prince) |
| Changed in nova: | |
| status: | Confirmed → In Progress |
| Changed in cinder: | |
| assignee: | nobody → Dan Prince (dan-prince) |
| status: | Confirmed → In Progress |
| Changed in oslo: | |
| importance: | Undecided → High |
| summary: |
- DoS through XML entity expansion + DoS through XML entity expansion (CVE-2013-1664) |
| Changed in oslo: | |
| assignee: | nobody → Dan Prince (dan-prince) |
| Changed in quantum: | |
| assignee: | nobody → Dan Prince (dan-prince) |
| information type: | Private Security → Public Security |
| Changed in keystone: | |
| milestone: | none → grizzly-3 |
| status: | Fix Committed → Fix Released |
| Changed in nova: | |
| milestone: | none → grizzly-3 |
| status: | Fix Committed → Fix Released |
| Changed in cinder: | |
| milestone: | none → grizzly-3 |
| status: | Fix Committed → Fix Released |
| Changed in quantum: | |
| milestone: | none → grizzly-rc1 |
| Changed in oslo: | |
| milestone: | none → grizzly-rc1 |
| Changed in quantum: | |
| status: | Fix Committed → Fix Released |
| Changed in oslo: | |
| status: | Fix Committed → Fix Released |
| Changed in keystone: | |
| milestone: | grizzly-3 → 2013.1 |
| Changed in quantum: | |
| milestone: | grizzly-rc1 → 2013.1 |
| Changed in nova: | |
| milestone: | grizzly-3 → 2013.1 |
| Changed in cinder: | |
| milestone: | grizzly-3 → 2013.1 |
| summary: |
- DoS through XML entity expansion (CVE-2013-1664) + [OSSA 2013-004] DoS through XML entity expansion (CVE-2013-1664) |
| Changed in ossa: | |
| assignee: | nobody → Thierry Carrez (ttx) |
| status: | New → Fix Released |
| no longer affects: | nova/essex |
| information type: | Public Security → Private Security |
| information type: | Private Security → Private |
| information type: | Private → Public Security |

Looks like we could pass an etree.XMLParser with resolve_ entities= False to etree.fromstring. Thoughts ?