Christian Heimes <christian> reports: Entity declarations can contain more than just text for replacement. They can also point to external resources by public identifiers or system identifiers. System identifiers are standard URIs. When the URI is a URL (e.g. a http:// locator) some parsers download the resource from the remote location and embed them into the XML document verbatim. Using External entity expansion opens the door to plenty of exploits. An attacker can abuse a vulnerable XML library and application to rebound and forward network requests with the IP address of the server. It highly depends on the parser and the application what kind of exploit is possible. For example: * An attacker can circumvent firewalls and gain access to restricted resources as all the requests are made from an internal and trustworthy IP address, not from the outside. * An attacker can abuse a service to attack, spy on or DoS your servers but also third party services. The attack is disguised with the IP address of the server and the attacker is able to utilize the high bandwidth of a big machine. * An attacker can exhaust additional resources on the machine, e.g. with requests to a service that doesn't respond or responds with very large files. * An attacker may gain knowledge, when, how often and from which IP address a XML document is accessed. * An attacker could send mail from inside your network if the URL handler supports smtp:// URIs. External reference: http://blog.python.org/2013/02/announcing-defusedxml-fixes-for-xml.html
This issue has been addressed in following products: OpenStack Folsom for RHEL 6 Via RHSA-2013:0596 https://rhn.redhat.com/errata/RHSA-2013-0596.html
This issue has been addressed in following products: OpenStack Folsom for RHEL 6 Via RHSA-2013:0670 https://rhn.redhat.com/errata/RHSA-2013-0670.html
This issue has been addressed in following products: OpenStack Folsom for RHEL 6 Via RHSA-2013:0658 https://rhn.redhat.com/errata/RHSA-2013-0658.html
This issue has been addressed in following products: OpenStack Folsom for RHEL 6 Via RHSA-2013:0657 https://rhn.redhat.com/errata/RHSA-2013-0657.html
Python’s interfaces for processing XML are grouped in the xml module, which is a part of the python package. The XML modules are not secure against erroneous or maliciously constructed data, and such data should not be directly parsed via python's xml modules. This is clearly documented at: https://docs.python.org/2/library/xml.html https://docs.python.org/2/library/xml.html#xml-vulnerabilities Python upstream suggests the use of "defusedxml" packages, but they break backward compatibility. Statement: This issue affects the versions of python as shipped with Red Hat Enterprise Linux 5, 6 and 7. Red Hat Product Security has rated this issue as having Moderate security impact. This issue is not currently planned to be addressed in future updates.