[Openstack-devel] Bug#700949: CVE-2013-0280: Information leak and Denial of Service using XML entities
Thomas Goirand
zigo at debian.org
Tue Feb 19 16:03:29 UTC 2013
Package: nova
Version: 2012.1.1-12
Severity: grave
Tags: security
Jonathan Murray from NCC Group, Joshua Harlow from Yahoo! and Stuart Stent
independently reported a vulnerability in the parsing of XML requests in
Keystone, Nova and Cinder. By using entities in XML requests, an
unauthenticated attacker may consume excessive resources on the Keystone, Nova
or Cinder API servers, resulting in a denial of service and potentially a
crash. Authenticated attackers may also leverage XML entities to read the
content of a local file on the Keystone API server. This only affects servers
with XML support enabled.
Adds a new utils.safe_minidom_parse_string function and updates external API
facing Nova modules to use it. This ensures we have safe defaults on our
incoming API XML parsing.
Internally safe_minidom_parse_string uses a ProtectedExpatParser class to
disable DTDs and entities from being parsed when using minidom.
Patched version is ready, upload is coming.
Thomas Goirand (zigo)
More information about the Openstack-devel
mailing list