Bug 1127538 (CVE-2014-5267) - CVE-2014-5265 CVE-2014-5266 CVE-2014-5267 drupal: denial of service issue (SA-CORE-2014-004)
Summary: CVE-2014-5265 CVE-2014-5266 CVE-2014-5267 drupal: denial of service issue (SA...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-5267
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20140806,repor...
Depends On: 1127539 1127540 1127541 1127542 1127543
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-08-07 06:01 UTC by Murray McAllister
Modified: 2019-06-08 20:08 UTC (History)
17 users (show)

Fixed In Version: drupal 6.33, drupal 7.31
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-11-24 05:38:57 UTC


Attachments (Terms of Use)

Description Murray McAllister 2014-08-07 06:01:53 UTC
The upstream Drupal 6.33 and 7.31 releases fix the following issue:

""
Drupal 6 and Drupal 7 include an XML-RPC endpoint which is publicly available (xmlrpc.php). The PHP XML parser used by this XML-RPC endpoint is vulnerable to an XML entity expansion attack and other related XML payload attacks which can cause CPU and memory exhaustion and the site's database to reach the maximum number of open connections. Any of these may lead to the site becoming unavailable or unresponsive (denial of service).

All Drupal sites are vulnerable to this attack whether XML-RPC is used or not.

In addition, a similar vulnerability exists in the core OpenID module (for sites that have this module enabled).
""

Reference:

https://www.drupal.org/SA-CORE-2014-004

CVE request:

http://www.openwall.com/lists/oss-security/2014/08/07/1

Comment 2 Murray McAllister 2014-08-07 06:04:05 UTC
Created drupal7 tracking bugs for this issue:

Affects: fedora-all [bug 1127541]
Affects: epel-all [bug 1127542]

Comment 3 Murray McAllister 2014-08-07 06:04:07 UTC
Created drupal6 tracking bugs for this issue:

Affects: fedora-all [bug 1127539]
Affects: epel-all [bug 1127540]

Comment 4 Murray McAllister 2014-08-19 03:11:19 UTC
MITRE assigned the following CVEs:

CVE-2014-5265 to the denial of service issue:

http://cgit.drupalcode.org/drupal/diff/includes/xmlrpc.inc?id=1849830

(This CVE also applies to WordPress, https://bugzilla.redhat.com/show_bug.cgi?id=1127547)

CVE-2014-5266 to the "Skip parsing if there is an unreasonably large number of tags" issue in both xmlrpc.inc and xrds.inc:

http://cgit.drupalcode.org/drupal/diff/includes/xmlrpc.inc?id=1849830
http://cgit.drupalcode.org/drupal/diff/modules/openid/xrds.inc?id=1849830

(This CVE also applies to WordPress, https://bugzilla.redhat.com/show_bug.cgi?id=1127547)

CVE-2014-5267 to rejecting certain malformed XRDS documents:

http://cgit.drupalcode.org/drupal/diff/modules/openid/xrds.inc?id=1849830

Comment 5 Murray McAllister 2014-08-19 03:12:58 UTC
(In reply to Murray McAllister from comment #4)
> MITRE assigned the following CVEs:
> 
> CVE-2014-5265 to the denial of service issue:
> 
> http://cgit.drupalcode.org/drupal/diff/includes/xmlrpc.inc?id=1849830
> 
> (This CVE also applies to WordPress,
> https://bugzilla.redhat.com/show_bug.cgi?id=1127547)
> 
> CVE-2014-5266 to the "Skip parsing if there is an unreasonably large number
> of tags" issue in both xmlrpc.inc and xrds.inc:
> 
> http://cgit.drupalcode.org/drupal/diff/includes/xmlrpc.inc?id=1849830
> http://cgit.drupalcode.org/drupal/diff/modules/openid/xrds.inc?id=1849830
> 
> (This CVE also applies to WordPress,
> https://bugzilla.redhat.com/show_bug.cgi?id=1127547)
> 
> CVE-2014-5267 to rejecting certain malformed XRDS documents:
> 
> http://cgit.drupalcode.org/drupal/diff/modules/openid/xrds.inc?id=1849830

Reference:

http://seclists.org/oss-sec/2014/q3/385

Comment 6 Fedora Update System 2014-08-21 09:41:52 UTC
drupal7-7.31-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 7 Fedora Update System 2014-08-21 09:45:39 UTC
drupal7-7.31-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2014-08-29 19:41:56 UTC
drupal7-7.31-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 Fedora Update System 2014-09-26 09:05:25 UTC
drupal6-6.33-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Fedora Update System 2014-09-26 17:00:49 UTC
drupal6-6.33-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2014-09-26 17:02:09 UTC
drupal6-6.33-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 Fedora Update System 2014-11-01 22:32:04 UTC
drupal7-7.32-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 13 Shawn Iwinski 2014-11-22 16:35:53 UTC
All dependent bugs have been closed and all dists have drupal7-7.32 in stable.  Can this bug be closed?


Note You need to log in before you can comment on or make changes to this bug.