Christian Heimes <christian> reports: Entity declarations can contain more than just text for replacement. billion laughs / exponential entity expansion The Billion Laughs attack -- also known as exponential entity expansion -- uses multiple levels of nested entities. The original example uses 9 levels of 10 expansions in each level to expand the string lol to a string of 3 * 10 9 bytes, hence the name "billion laughs". The resulting string occupies 3 GB (2.79 GiB) of memory; intermediate strings require additional memory. Because most parsers don't cache the intermediate step for every expansion it is repeated over and over again. It increases the CPU load even more. An XML document of just a few hundred bytes can disrupt all services on a machine within seconds. quadratic blowup entity expansion A quadratic blowup attack is similar to a Billion Laughs attack; it abuses entity expansion, too. Instead of nested entities it repeats one large entity with a couple of ten thousand chars over and over again. The attack isn't as efficient as the exponential case but it avoids triggering countermeasures of parsers against heavily nested entities. Some parsers limit the depth and breadth of a single entity but not the total amount of expanded text throughout an entire XML document. A medium-sized XML document with a couple of hundred kilobytes can require a couple of hundred MB to several GB of memory. When the attack is combined with some level of nested expansion an attacker is able to achieve a higher ratio of success. External reference: http://blog.python.org/2013/02/announcing-defusedxml-fixes-for-xml.html
*** Bug 910221 has been marked as a duplicate of this bug. ***
This issue has been addressed in following products: OpenStack Folsom for RHEL 6 Via RHSA-2013:0596 https://rhn.redhat.com/errata/RHSA-2013-0596.html
This issue has been addressed in following products: OpenStack Folsom for RHEL 6 Via RHSA-2013:0670 https://rhn.redhat.com/errata/RHSA-2013-0670.html
This issue has been addressed in following products: OpenStack Folsom for RHEL 6 Via RHSA-2013:0658 https://rhn.redhat.com/errata/RHSA-2013-0658.html
This issue has been addressed in following products: OpenStack Folsom for RHEL 6 Via RHSA-2013:0657 https://rhn.redhat.com/errata/RHSA-2013-0657.html
Python’s interfaces for processing XML are grouped in the xml module, which is a part of the python package. The XML modules are not secure against erroneous or maliciously constructed data, and such data should not be directly parsed via python's xml modules. This is clearly documented at: https://docs.python.org/2/library/xml.html https://docs.python.org/2/library/xml.html#xml-vulnerabilities Python upstream suggests the use of "defusedxml" packages, but they break backward compatibility. Statement: This issue affects the versions of python as shipped with Red Hat Enterprise Linux 5, 6 and 7. Red Hat Product Security has rated this issue as having Moderate security impact. This issue is not currently planned to be addressed in future updates.