1834406 – (CVE-2020-11462) CVE-2020-11462 openvpn: temporary DoS state of the management interface when sending an XML Entity Expansion payload to the XMLRPC based RPC2

Bug 1834406 (CVE-2020-11462) - CVE-2020-11462 openvpn: temporary DoS state of the management interface when sending an XML Entity Expansion payload to the XMLRPC based RPC2

Summary: CVE-2020-11462 openvpn: temporary DoS state of the management interface when ...

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2020-11462
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1834407 1834408
Blocks:
TreeView+	depends on / blocked

Reported:	2020-05-11 16:32 UTC by Guilherme de Almeida Suckevicz
Modified:	2020-05-11 17:39 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2020-05-11 17:39:25 UTC
Embargoed:

Attachments	(Terms of Use)

Description Guilherme de Almeida Suckevicz 2020-05-11 16:32:31 UTC

An issue was discovered in OpenVPN Access Server before 2.7.0 and 2.8.x before 2.8.3. With the full featured RPC2 interface enabled, it is possible to achieve a temporary DoS state of the management interface when sending an XML Entity Expansion (XEE) payload to the XMLRPC based RPC2 interface. The duration of the DoS state depends on available memory and CPU speed. The default restricted mode of the RPC2 interface is NOT vulnerable.

Reference:
https://openvpn.net/vpn-server-resources/release-notes/#Release_notes_for_OpenVPN_Access_Server_283

Comment 1 Guilherme de Almeida Suckevicz 2020-05-11 16:32:51 UTC

Created openvpn tracking bugs for this issue:

Affects: epel-all [bug 1834408]
Affects: fedora-all [bug 1834407]

Comment 2 David Sommerseth 2020-05-11 17:39:25 UTC

See bugzilla #1834406

Note You need to log in before you can comment on or make changes to this bug.