yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #04470
[Bug 1190229] Re: [OSSA 2013-023] Potential unsafe XML usage (CVE-2013-4179, CVE-2013-4202)
** Changed in: cinder
Status: Fix Committed => Fix Released
** Changed in: cinder
Milestone: None => havana-3
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1190229
Title:
[OSSA 2013-023] Potential unsafe XML usage (CVE-2013-4179,
CVE-2013-4202)
Status in Cinder:
Fix Released
Status in Cinder grizzly series:
Fix Released
Status in OpenStack Neutron (virtual network service):
Invalid
Status in OpenStack Compute (Nova):
Fix Committed
Status in OpenStack Compute (nova) grizzly series:
Fix Released
Status in OpenStack Security Advisories:
Fix Released
Bug description:
Grant Murphy (gmurphy@xxxxxxxxxx) conducted an audit of OpenStack and
reported the following potential XML related vulnerabilities. These
may well not be exploitable, we need to doublecheck them.
===================================================
Issue #1 (CWE-776) - Widespread and inconsistent usage of XML libraries that are vulnerable to various XML resource exhaustion attack vectors. This was mostly addressed in bug 1100282 however I can still find instances of minidom.parseString used directly in contributors code:
nova/nova/virt/libvirt/driver.py
1640: dom = minidom.parseString(xml)
1657: dom = minidom.parseString(xml)
nova/nova/virt/xenapi/vm_utils.py
1501: rrd = minidom.parseString(xml)
1542: doc = minidom.parseString(xml)
nova/nova/api/openstack/compute/contrib/security_groups.py
542: root = minidom.parseString(req.body)
nova/nova/api/openstack/compute/contrib/security_group_default_rules.py
76: dom = minidom.parseString(string)
cinder/cinder/api/contrib/backups.py
85: dom = minidom.parseString(string)
104: dom = minidom.parseString(string)
cinder/cinder/api/contrib/volume_transfer.py
65: dom = minidom.parseString(string)
83: dom = minidom.parseString(string)
Furthermore there are inconsistencies in the fix between components.
For example in Quantum they use a ProtectedXMLParser in
quantum/quantum/wsgi.py for XMLDeserialization. The implementation is
as follows:
class ProtectedXMLParser(etree.XMLParser):
def __init__(self, *args, **kwargs):
etree.XMLParser.__init__(self, *args, **kwargs)
self._parser.StartDoctypeDeclHandler = self.start_doctype_decl
def start_doctype_decl(self, name, sysid, pubid, internal):
raise ValueError(_("Inline DTD forbidden"))
def doctype(self, name, pubid, system):
raise ValueError(_("Inline DTD forbidden"))
Although etree.XMLParser does not automatically expand external
entities by default it is vulnerable to billion laughs and quadratic
blowup according to the diffusedxml documentation. (I'm not sure this
is still accurate though).
For consistency alone I would recommend shifting these libraries across the board:
- https://pypi.python.org/pypi/defusedxml/
- https://pypi.python.org/pypi/defusedexpat/
========================================================
Issue #2 (CWE-112)- Missing schema validation. There are several instances where XML data is processed from an external source that is not validated against an XML schema. This is a best practice that should be considered.
========================================================
Issue #3 (Probably not a bug)- HTTP parameters used directly in XML output. The output appears to use sax.xhtml_escape so in theory is safe. Could use a whitelist reject unexpected input.
The case I'm specifically talking about is the BucketHandler class in
nova/nova/objectstore/s3server.py. This does:
prefix = self.request.params.get("prefix", "")
marker = self.request.params.get("marker", "")
And uses these values directly in render_xml (results sent to end user).
This one is probably harmless but thought I'd mention it anyway.
To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1190229/+subscriptions