Bug 910222 - CVE-2013-1664 CVE-2013-1665 OpenStack cinder: XML entity parsing
CVE-2013-1664 CVE-2013-1665 OpenStack cinder: XML entity parsing
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 910232
Blocks: 910225 CVE-2013-1665 CVE-2013-1664
  Show dependency treegraph
Reported: 2013-02-11 22:58 EST by Kurt Seifried
Modified: 2016-04-26 13:29 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2014-02-19 23:58:39 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
cinder-folsom-CVE-2013-0279.patch (9.42 KB, patch)
2013-02-11 22:58 EST, Kurt Seifried
no flags Details | Diff
cinder-grizzly-CVE-2013-0279.patch (11.19 KB, patch)
2013-02-11 22:58 EST, Kurt Seifried
no flags Details | Diff

  None (edit)
Description Kurt Seifried 2013-02-11 22:58:07 EST
Thierry Carrez (thierry@openstack.org) reports:

Title: Information leak and Denial of Service using XML entities
Reporter: Jonathan Murray (NCC Group), Joshua Harlow (Yahoo!), Stuart Stent
Products: Keystone, Nova, Cinder
Affects: All versions

Jonathan Murray from NCC Group, Joshua Harlow from Yahoo! and Stuart
Stent independently reported a vulnerability in the parsing of XML
requests in Keystone, Nova and Cinder. By using entities in XML
requests, an unauthenticated attacker may consume excessive resources on
the Keystone, Nova or Cinder API servers, resulting in a denial of
service and potentially a crash. This only affects servers with XML 
support enabled.

Proposed patches:
See attached patches for current development tree (Grizzly) and the
Folsom and Essex series for each of the affected projects. Unless a flaw
is discovered in them, these proposed patches will be merged to master,
stable/folsom and stable/essex branches on the public disclosure date.
Comment 1 Kurt Seifried 2013-02-11 22:58:43 EST
Created attachment 696353 [details]
Comment 2 Kurt Seifried 2013-02-11 22:58:59 EST
Created attachment 696354 [details]
Comment 5 errata-xmlrpc 2013-03-21 14:13:25 EDT
This issue has been addressed in following products:

  OpenStack Folsom for RHEL 6

Via RHSA-2013:0658 https://rhn.redhat.com/errata/RHSA-2013-0658.html

Note You need to log in before you can comment on or make changes to this bug.