Bug 915149 (CVE-2013-0339)

Summary: CVE-2013-0339 libxml2: CPU consumption DoS and other effects when performing string substitutions during external entities expansion
Product: [Other] Security Response Reporter: Huzaifa S. Sidhpurwala <huzaifas>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: btotty, c.david86, klepikho, mnowak, veillard
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-02-27 04:45:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 912428    

Description Huzaifa S. Sidhpurwala 2013-02-25 05:25:38 UTC
A denial of service flaw was found in the way libxml2, a library providing support to read, modify and write XML and HTML files, performed string substitutions when entity values for external  entity references replacement (--noent option) was requested / enabled during the XML file parsing. A remote attacker could provide a specially-crafted XML file containing an external entity expansion, when processed would lead to excessive CPU consumption (denial of service).

This a different flaw from CVE-2013-0338.

Upstream patch:


Comment 1 Huzaifa S. Sidhpurwala 2013-02-25 05:27:07 UTC


Comment 3 Huzaifa S. Sidhpurwala 2013-02-27 04:45:57 UTC
Apart from causing DoS, External Entity Expansion could be abused in several other ways, which include:

- An attacker can circumvent firewalls and gain access to restricted resources as all the requests are made from an internal and trustworthy IP address, not from the outside.

- An attacker can abuse a service to attack, spy on or DoS your servers but also third party services. The attack is disguised with the IP address of the server and the attacker is able to utilize the high bandwidth of a big machine.

More details and write-up available at:

This flaw can be mitigated by not expanding external entities, specially the ones which come from untrusted sources.

libxml2 already provides mechanisms to disable external entities which applications can use.

Closing this flaw as "wontfix"

Comment 7 Huzaifa S. Sidhpurwala 2014-02-05 07:23:10 UTC
This issue has been marked as WONTFIX for both Red Hat Enterprise Linux 5 and 6.

External Entity Expansion is the default behaviour of libxml2. Applications
using libxml2 have an option of turning it off via an API, before parsing an
xml file. While external entity expansion is dangerous when parsing untrusted
xml files, it is an often required feature of certain applications like
docbook, which only parse trusted xml files. For this reason we have decided to
keep it on by default and encourage application developers to turn it off, when

Comment 8 Tomas Hoger 2014-05-13 19:59:22 UTC
(In reply to Huzaifa S. Sidhpurwala from comment #7)
> External Entity Expansion is the default behaviour of libxml2. Applications
> using libxml2 have an option of turning it off via an API, before parsing an
> xml file.

The above information is not correct.  The default behavior of libxml2 is to not expand entity references, whether they are internal or external.  Applications using libxml2 can enable entity expansion by setting the XML_PARSE_NOENT parser option.  That option enables processing of both internal and external entities.  This is not recommended when processing untrusted XML input.

Note that the exact scope of this CVE is currently unclear as discussed in further details in the following oss-security mailing list post:


Its description suggests the CVE was created because of lack of easy way for applications to prevent external entity expansion.  However, as noted above, the default behavior is to not expand entities.

The CVE also references this libxml2 upstream commit:


That commit addressed a bug in the way libxml2 handled external entities.  Even when entity expansion was disabled, libml2 was still fetching external entities.  This still made it vulnerable to certain XML eXternal Entity (XXE) issues such as DoS attacks or firewall circumvention, but would not allow easy information leak.

The above fix was applied to libxml2 packages in Red Hat Enterprise Linux 6 via RHSA-2012:1288:


Note that the libxml2 packages for Red Hat Enterprise Linux 5 released via the same erratum did not get the same fix.

The above commit only resolved the issue for general entities.  Similar problem was found to affect processing of parameter entities and got the CVE-2014-0191 assigned, see bug 1090976.