Thierry Carrez (thierry) reports: Title: Information leak and Denial of Service using XML entities Reporter: Jonathan Murray (NCC Group), Joshua Harlow (Yahoo!), Stuart Stent Products: Keystone, Nova, Cinder Affects: All versions Description: Jonathan Murray from NCC Group, Joshua Harlow from Yahoo! and Stuart Stent independently reported a vulnerability in the parsing of XML requests in Keystone, Nova and Cinder. By using entities in XML requests, an unauthenticated attacker may consume excessive resources on the Keystone, Nova or Cinder API servers, resulting in a denial of service and potentially a crash. This only affects servers with XML support enabled. Proposed patches: See attached patches for current development tree (Grizzly) and the Folsom and Essex series for each of the affected projects. Unless a flaw is discovered in them, these proposed patches will be merged to master, stable/folsom and stable/essex branches on the public disclosure date.
Created attachment 696353 [details] cinder-folsom-CVE-2013-0279.patch
Created attachment 696354 [details] cinder-grizzly-CVE-2013-0279.patch
Published today http://lists.openstack.org/pipermail/openstack-announce/2013-February/000078.html NB: use CVE-2013-1664, CVE-2013-1665 for OpenStack (see https://bugzilla.redhat.com/show_bug.cgi?id=910221#c7)
This issue has been addressed in following products: OpenStack Folsom for RHEL 6 Via RHSA-2013:0658 https://rhn.redhat.com/errata/RHSA-2013-0658.html