Bug 972988 - (CVE-2013-2161) CVE-2013-2161 OpenStack Swift: Unchecked user input in Swift XML responses
CVE-2013-2161 OpenStack Swift: Unchecked user input in Swift XML responses
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 973372 972992 973370 974954 974956
Blocks: 972990
  Show dependency treegraph
Reported: 2013-06-10 22:26 EDT by Garth Mollett
Modified: 2017-01-26 21:56 EST (History)
17 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Patch (584 bytes, patch)
2013-06-10 22:39 EDT, Garth Mollett
no flags Details | Diff
escape-CVE-2013-2161.patch (664 bytes, patch)
2013-06-12 13:12 EDT, Kurt Seifried
no flags Details | Diff

  None (edit)
Description Garth Mollett 2013-06-10 22:26:24 EDT
Alex Gaynor from Rackspace reported a vulnerability in XML handling
within Swift account servers. Account strings were unescaped in xml
listings, and an attacker could potentially generate unparsable or
arbitrary XML responses which may be used to leverage other
vulnerabilities in the calling software.
Comment 2 Garth Mollett 2013-06-10 22:39:24 EDT
Created attachment 759406 [details]
Comment 7 Kurt Seifried 2013-06-11 14:12:16 EDT
Proposed public disclosure date/time:
Thursday, June 13, 2013, 1500UTC
Please do not make the issue public (or release public patches)
before this coordinated embargo date.
Comment 10 Garth Mollett 2013-06-11 19:45:33 EDT

The Red Hat Security Response Team has rated this issue as having moderate security impact in OpenStack Essex (1.0) and Openstack Folsom (2.1). A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Comment 12 Kurt Seifried 2013-06-12 13:12:01 EDT
Created attachment 760270 [details]
Comment 17 Jan Lieskovsky 2013-06-17 05:05:47 EDT
This issue affects the versions of the openstack-swift package, as shipped with Fedora release of 17, 18, and Fedora EPEL-6. Please schedule an update.
Comment 18 Jan Lieskovsky 2013-06-17 05:07:08 EDT
Created openstack-swift tracking bugs for this issue

Affects: fedora-all [bug 974954]
Affects: epel-6 [bug 974956]
Comment 19 Murray McAllister 2013-06-24 23:22:14 EDT

Red Hat would like to thank Alex Gaynor from Rackspace for reporting this issue.
Comment 20 errata-xmlrpc 2013-06-27 12:49:37 EDT
This issue has been addressed in following products:

  OpenStack 3 for RHEL 6

Via RHSA-2013:0993 https://rhn.redhat.com/errata/RHSA-2013-0993.html

Note You need to log in before you can comment on or make changes to this bug.