Bug 1127538 (CVE-2014-5267)

Summary: CVE-2014-5265 CVE-2014-5266 CVE-2014-5267 drupal: denial of service issue (SA-CORE-2014-004)
Product: [Other] Security Response Reporter: Murray McAllister <mmcallis>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: carnil, ccoleman, dmcphers, gwync, jialiu, jokerman, jrusnack, kseifried, lmeyer, mmccomas, mmcgrath, peter.borsa, security-response-team, shawn, stickster, sven, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: drupal 6.33, drupal 7.31 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-11-24 05:38:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1127539, 1127540, 1127541, 1127542, 1127543    
Bug Blocks:    

Description Murray McAllister 2014-08-07 06:01:53 UTC 
The upstream Drupal 6.33 and 7.31 releases fix the following issue:

""
Drupal 6 and Drupal 7 include an XML-RPC endpoint which is publicly available (xmlrpc.php). The PHP XML parser used by this XML-RPC endpoint is vulnerable to an XML entity expansion attack and other related XML payload attacks which can cause CPU and memory exhaustion and the site's database to reach the maximum number of open connections. Any of these may lead to the site becoming unavailable or unresponsive (denial of service).

All Drupal sites are vulnerable to this attack whether XML-RPC is used or not.

In addition, a similar vulnerability exists in the core OpenID module (for sites that have this module enabled).
""

Reference:

https://www.drupal.org/SA-CORE-2014-004

CVE request:

http://www.openwall.com/lists/oss-security/2014/08/07/1
Comment 2 Murray McAllister 2014-08-07 06:04:05 UTC 
Created drupal7 tracking bugs for this issue:

Affects: fedora-all [bug 1127541]
Affects: epel-all [bug 1127542]
Comment 3 Murray McAllister 2014-08-07 06:04:07 UTC 
Created drupal6 tracking bugs for this issue:

Affects: fedora-all [bug 1127539]
Affects: epel-all [bug 1127540]
Comment 4 Murray McAllister 2014-08-19 03:11:19 UTC 
MITRE assigned the following CVEs:

CVE-2014-5265 to the denial of service issue:

http://cgit.drupalcode.org/drupal/diff/includes/xmlrpc.inc?id=1849830

(This CVE also applies to WordPress, https://bugzilla.redhat.com/show_bug.cgi?id=1127547)

CVE-2014-5266 to the "Skip parsing if there is an unreasonably large number of tags" issue in both xmlrpc.inc and xrds.inc:

http://cgit.drupalcode.org/drupal/diff/includes/xmlrpc.inc?id=1849830
http://cgit.drupalcode.org/drupal/diff/modules/openid/xrds.inc?id=1849830

(This CVE also applies to WordPress, https://bugzilla.redhat.com/show_bug.cgi?id=1127547)

CVE-2014-5267 to rejecting certain malformed XRDS documents:

http://cgit.drupalcode.org/drupal/diff/modules/openid/xrds.inc?id=1849830
Comment 5 Murray McAllister 2014-08-19 03:12:58 UTC 
(In reply to Murray McAllister from comment #4)
> MITRE assigned the following CVEs:
> 
> CVE-2014-5265 to the denial of service issue:
> 
> http://cgit.drupalcode.org/drupal/diff/includes/xmlrpc.inc?id=1849830
> 
> (This CVE also applies to WordPress,
> https://bugzilla.redhat.com/show_bug.cgi?id=1127547)
> 
> CVE-2014-5266 to the "Skip parsing if there is an unreasonably large number
> of tags" issue in both xmlrpc.inc and xrds.inc:
> 
> http://cgit.drupalcode.org/drupal/diff/includes/xmlrpc.inc?id=1849830
> http://cgit.drupalcode.org/drupal/diff/modules/openid/xrds.inc?id=1849830
> 
> (This CVE also applies to WordPress,
> https://bugzilla.redhat.com/show_bug.cgi?id=1127547)
> 
> CVE-2014-5267 to rejecting certain malformed XRDS documents:
> 
> http://cgit.drupalcode.org/drupal/diff/modules/openid/xrds.inc?id=1849830

Reference:

http://seclists.org/oss-sec/2014/q3/385
Comment 6 Fedora Update System 2014-08-21 09:41:52 UTC 
drupal7-7.31-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2014-08-21 09:45:39 UTC 
drupal7-7.31-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2014-08-29 19:41:56 UTC 
drupal7-7.31-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2014-09-26 09:05:25 UTC 
drupal6-6.33-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2014-09-26 17:00:49 UTC 
drupal6-6.33-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2014-09-26 17:02:09 UTC 
drupal6-6.33-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2014-11-01 22:32:04 UTC 
drupal7-7.32-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Shawn Iwinski 2014-11-22 16:35:53 UTC 
All dependent bugs have been closed and all dists have drupal7-7.32 in stable.  Can this bug be closed?