Bug 1139000

Summary: CVE-2014-3573 ovirt-engine-backend: oVirt Engine: XML eXternal Entity (XXE) flaw in backend module
Product: [Retired] oVirt Reporter: Alon Bar-Lev <alonbl>
Component: ovirt-engine-coreAssignee: Alon Bar-Lev <alonbl>
Status: CLOSED CURRENTRELEASE QA Contact: Petr Beňas <pbenas>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 3.5CC: ecohen, gklein, iheim, lsurette, pbenas, pstehlik, rbalakri, yeylon
Target Milestone: ---Keywords: Security, ZStream
Target Release: 3.4.4   
Hardware: Unspecified   
OS: Unspecified   
URL: https://www.redhat.com/security/data/cve/CVE-2014-3573.html
Whiteboard: infra
Fixed In Version: ovirt-3.5.0_rc2 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-09-24 08:08:49 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1125803, 1154674    

Description Alon Bar-Lev 2014-09-07 11:13:46 UTC 
It was discovered that, when loading XML/RSDL documents, the oVirt Engine back end module used an insecure DocumentBuilderFactory. A remote, authenticated attacker could use this flaw to read files accessible to the user running the ovirt-engine server, and potentially perform other more advanced XML External Entity (XXE) attacks.
Comment 1 Petr Beňas 2014-09-16 13:00:05 UTC 
in ovirt-engine-backend-3.5.0-0.0.master.20140911085455.gite1c5ffd.el6.noarch
Comment 2 Sandro Bonazzola 2014-09-24 08:08:49 UTC 
oVirt 3.4.4 has been released.