Bug 1593776 (CVE-2018-10868) - CVE-2018-10868 redhat-certification: billion laugh attack when getting the status of a host
Summary: CVE-2018-10868 redhat-certification: billion laugh attack when getting the st...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-10868
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1608786
Blocks: 1593614
TreeView+ depends on / blocked
 
Reported: 2018-06-21 14:48 UTC by Riccardo Schirone
Modified: 2021-10-25 09:45 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
It has been discovered that redhat-certification does not properly limit the number of recursive definitions of entities in XML documents while parsing the status of a host. A remote attacker could use this vulnerability to consume all the memory of the server and cause a Denial of Service.
Clone Of:
Environment:
Last Closed: 2021-10-25 09:45:42 UTC
Embargoed:


Attachments (Terms of Use)

Description Riccardo Schirone 2018-06-21 14:48:29 UTC
redhat-certification does not properly restrict the number of recursive definitions of entities in XML documents, allowing an unauthenticated user to run a "Billion Laugh Attack"[1] by replying to XMLRPC methods when getting the status of an host.

[1] https://en.wikipedia.org/wiki/Billion_laughs_attack

Comment 1 Riccardo Schirone 2018-06-21 14:48:38 UTC
Acknowledgments:

Name: Riccardo Schirone (Red Hat Product Security)

Comment 3 Riccardo Schirone 2018-06-25 13:12:26 UTC
getHostStatus in view.py connects to an XMLRPC server provided by the user, who could setup a fake server and reply with a small XML file which, when parsed, uses a big amount of memory.


Note You need to log in before you can comment on or make changes to this bug.