Bug 912982 (CVE-2013-1665) - CVE-2013-1665 Python xml bindings: External entity expansion in Python XML libraries inflicts potential security flaws and DoS vulnerabilities
Summary: CVE-2013-1665 Python xml bindings: External entity expansion in Python XML li...
Status: CLOSED ERRATA
Alias: CVE-2013-1665
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20130219,repor...
Keywords: Reopened, Security
Depends On: 910221 910222 910232 913054 917199 917200
Blocks: 916494 916496 916499 916886 1067315
TreeView+ depends on / blocked
 
Reported: 2013-02-20 05:47 UTC by Kurt Seifried
Modified: 2019-06-08 19:26 UTC (History)
5 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2015-08-03 06:21:44 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:0596 normal SHIPPED_LIVE Moderate: openstack-keystone security, bug fix, and enhancement update 2013-03-06 01:59:51 UTC
Red Hat Product Errata RHSA-2013:0657 normal SHIPPED_LIVE Moderate: openstack-nova security, bug fix, and enhancement update 2013-03-21 22:12:14 UTC
Red Hat Product Errata RHSA-2013:0658 normal SHIPPED_LIVE Moderate: openstack-cinder security and enhancement update 2013-03-21 22:12:06 UTC
Red Hat Product Errata RHSA-2013:0670 normal SHIPPED_LIVE Moderate: Django security update 2013-03-21 22:12:01 UTC

Description Kurt Seifried 2013-02-20 05:47:04 UTC
Christian Heimes <christian@python.org> reports:

Entity declarations can contain more than just text for replacement. They can 
also point to external resources by public identifiers or system identifiers. 
System identifiers are standard URIs. When the URI is a URL (e.g. a http:// 
locator) some parsers download the resource from the remote location and embed 
them into the XML document verbatim.

Using External entity expansion opens the door to plenty of exploits. An attacker can abuse a vulnerable XML library and application to rebound and forward network 
requests with the IP address of the server. It highly depends on the parser and 
the application what kind of exploit is possible. For example:

* An attacker can circumvent firewalls and gain access to restricted resources as 
all the requests are made from an internal and trustworthy IP address, not from 
the outside.
* An attacker can abuse a service to attack, spy on or DoS your servers but also 
third party services. The attack is disguised with the IP address of the server 
and the attacker is able to utilize the high bandwidth of a big machine.
* An attacker can exhaust additional resources on the machine, e.g. with requests 
to a service that doesn't respond or responds with very large files.
* An attacker may gain knowledge, when, how often and from which IP address a XML 
document is accessed.
* An attacker could send mail from inside your network if the URL handler 
supports smtp:// URIs.

External reference:
http://blog.python.org/2013/02/announcing-defusedxml-fixes-for-xml.html

Comment 8 errata-xmlrpc 2013-03-05 21:01:59 UTC
This issue has been addressed in following products:

  OpenStack Folsom for RHEL 6

Via RHSA-2013:0596 https://rhn.redhat.com/errata/RHSA-2013-0596.html

Comment 9 errata-xmlrpc 2013-03-21 18:12:26 UTC
This issue has been addressed in following products:

  OpenStack Folsom for RHEL 6

Via RHSA-2013:0670 https://rhn.redhat.com/errata/RHSA-2013-0670.html

Comment 10 errata-xmlrpc 2013-03-21 18:13:37 UTC
This issue has been addressed in following products:

  OpenStack Folsom for RHEL 6

Via RHSA-2013:0658 https://rhn.redhat.com/errata/RHSA-2013-0658.html

Comment 11 errata-xmlrpc 2013-03-21 18:16:35 UTC
This issue has been addressed in following products:

  OpenStack Folsom for RHEL 6

Via RHSA-2013:0657 https://rhn.redhat.com/errata/RHSA-2013-0657.html

Comment 12 Huzaifa S. Sidhpurwala 2015-08-03 06:21:17 UTC
Python’s interfaces for processing XML are grouped in the xml module, which is a part of the python package. The XML modules are not secure against erroneous or maliciously constructed data, and such data should not be directly parsed via python's xml modules.

This is clearly documented at:
https://docs.python.org/2/library/xml.html
https://docs.python.org/2/library/xml.html#xml-vulnerabilities

Python upstream suggests the use of "defusedxml" packages, but they break backward compatibility.


Statement:

This issue affects the versions of python as shipped with Red Hat Enterprise Linux 5, 6 and 7. Red Hat Product Security has rated this issue as having Moderate security impact. This issue is not currently planned to be addressed in future updates.


Note You need to log in before you can comment on or make changes to this bug.