Bug 910224

Summary: CVE-2013-1664 CVE-2013-1665 OpenStack nova: XML entity parsing
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: apevec, cpelland, markmc, ndipanov, pbrady, rbryant, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-04-07 02:55:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 910228, 910231    
Bug Blocks: 910225, 913808    
Attachments:
Description Flags
nova-essex-CVE-2013-0280.patch
none
nova-folsom-CVE-2013-0280.patch
none
nova-grizzly-CVE-2013-0280.patch none

Description Kurt Seifried 2013-02-12 04:00:02 UTC 
Thierry Carrez (thierry) reports:

Title: Information leak and Denial of Service using XML entities
Reporter: Jonathan Murray (NCC Group), Joshua Harlow (Yahoo!), Stuart Stent
Products: Keystone, Nova, Cinder
Affects: All versions

Description:
Jonathan Murray from NCC Group, Joshua Harlow from Yahoo! and Stuart
Stent independently reported a vulnerability in the parsing of XML
requests in Keystone, Nova and Cinder. By using entities in XML
requests, an unauthenticated attacker may consume excessive resources on
the Keystone, Nova or Cinder API servers, resulting in a denial of
service and potentially a crash. This only affects servers with XML 
support enabled.

Proposed patches:
See attached patches for current development tree (Grizzly) and the
Folsom and Essex series for each of the affected projects. Unless a flaw
is discovered in them, these proposed patches will be merged to master,
stable/folsom and stable/essex branches on the public disclosure date.
Comment 1 Kurt Seifried 2013-02-12 04:01:16 UTC 
Created attachment 696367 [details]
nova-essex-CVE-2013-0280.patch
Comment 2 Kurt Seifried 2013-02-12 04:01:41 UTC 
Created attachment 696368 [details]
nova-folsom-CVE-2013-0280.patch
Comment 3 Kurt Seifried 2013-02-12 04:02:00 UTC 
Created attachment 696369 [details]
nova-grizzly-CVE-2013-0280.patch
Comment 7 Vincent Danen 2013-02-19 19:05:18 UTC 
External References:

http://lists.openstack.org/pipermail/openstack-announce/2013-February/000078.html
Comment 8 Alan Pevec 2013-02-19 23:16:39 UTC 
NB: use CVE-2013-1664, CVE-2013-1665 for OpenStack
(see https://bugzilla.redhat.com/show_bug.cgi?id=910221#c7)
Comment 10 Vincent Danen 2013-02-20 05:10:12 UTC 
See bug 912400 which was filed for CVE-2013-166[45].

These bugs should probably be CLOSED:NOTABUG.
Comment 11 errata-xmlrpc 2013-03-21 18:16:15 UTC 
This issue has been addressed in following products:

  OpenStack Folsom for RHEL 6

Via RHSA-2013:0657 https://rhn.redhat.com/errata/RHSA-2013-0657.html