Thierry Carrez (thierry) reports: Title: Information leak and Denial of Service using XML entities Reporter: Jonathan Murray (NCC Group), Joshua Harlow (Yahoo!), Stuart Stent Products: Keystone, Nova, Cinder Affects: All versions Description: Jonathan Murray from NCC Group, Joshua Harlow from Yahoo! and Stuart Stent independently reported a vulnerability in the parsing of XML requests in Keystone, Nova and Cinder. By using entities in XML requests, an unauthenticated attacker may consume excessive resources on the Keystone, Nova or Cinder API servers, resulting in a denial of service and potentially a crash. This only affects servers with XML support enabled. Proposed patches: See attached patches for current development tree (Grizzly) and the Folsom and Essex series for each of the affected projects. Unless a flaw is discovered in them, these proposed patches will be merged to master, stable/folsom and stable/essex branches on the public disclosure date.
Created attachment 696367 [details] nova-essex-CVE-2013-0280.patch
Created attachment 696368 [details] nova-folsom-CVE-2013-0280.patch
Created attachment 696369 [details] nova-grizzly-CVE-2013-0280.patch
External References: http://lists.openstack.org/pipermail/openstack-announce/2013-February/000078.html
NB: use CVE-2013-1664, CVE-2013-1665 for OpenStack (see https://bugzilla.redhat.com/show_bug.cgi?id=910221#c7)
See bug 912400 which was filed for CVE-2013-166[45]. These bugs should probably be CLOSED:NOTABUG.
This issue has been addressed in following products: OpenStack Folsom for RHEL 6 Via RHSA-2013:0657 https://rhn.redhat.com/errata/RHSA-2013-0657.html