Bug 910222

Summary: CVE-2013-1664 CVE-2013-1665 OpenStack cinder: XML entity parsing
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: apevec, cpelland, eharney, markmc, rbryant, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-02-20 04:58:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 910232    
Bug Blocks: 910225, 912982, 913808    
Attachments:
Description Flags
cinder-folsom-CVE-2013-0279.patch
none
cinder-grizzly-CVE-2013-0279.patch none

Description Kurt Seifried 2013-02-12 03:58:07 UTC 
Thierry Carrez (thierry) reports:

Title: Information leak and Denial of Service using XML entities
Reporter: Jonathan Murray (NCC Group), Joshua Harlow (Yahoo!), Stuart Stent
Products: Keystone, Nova, Cinder
Affects: All versions

Description:
Jonathan Murray from NCC Group, Joshua Harlow from Yahoo! and Stuart
Stent independently reported a vulnerability in the parsing of XML
requests in Keystone, Nova and Cinder. By using entities in XML
requests, an unauthenticated attacker may consume excessive resources on
the Keystone, Nova or Cinder API servers, resulting in a denial of
service and potentially a crash. This only affects servers with XML 
support enabled.

Proposed patches:
See attached patches for current development tree (Grizzly) and the
Folsom and Essex series for each of the affected projects. Unless a flaw
is discovered in them, these proposed patches will be merged to master,
stable/folsom and stable/essex branches on the public disclosure date.
Comment 1 Kurt Seifried 2013-02-12 03:58:43 UTC 
Created attachment 696353 [details]
cinder-folsom-CVE-2013-0279.patch
Comment 2 Kurt Seifried 2013-02-12 03:58:59 UTC 
Created attachment 696354 [details]
cinder-grizzly-CVE-2013-0279.patch
Comment 4 Alan Pevec 2013-02-19 23:11:28 UTC 
Published today
http://lists.openstack.org/pipermail/openstack-announce/2013-February/000078.html
NB: use CVE-2013-1664, CVE-2013-1665 for OpenStack
(see https://bugzilla.redhat.com/show_bug.cgi?id=910221#c7)
Comment 5 errata-xmlrpc 2013-03-21 18:13:25 UTC 
This issue has been addressed in following products:

  OpenStack Folsom for RHEL 6

Via RHSA-2013:0658 https://rhn.redhat.com/errata/RHSA-2013-0658.html