Bug 458330 (CVE-2013-1664)

Description Agostino Sarubbo 2013-02-19 17:54:22 UTC

From ${URL} :

OpenStack Security Advisory: 2013-004
CVE: CVE-2013-1664, CVE-2013-1665
Date: February 19, 2013
Title: Information leak and Denial of Service using XML entities
Reporter: Jonathan Murray (NCC Group), Joshua Harlow (Yahoo!), Stuart
Stent
Products: Keystone, Nova, Cinder (see note)
Affects: All versions

Description:
Jonathan Murray from NCC Group, Joshua Harlow from Yahoo! and Stuart
Stent independently reported a vulnerabilities in the parsing of XML
requests in Python XML libraries used in Keystone, Nova and Cinder. By
using entities in XML requests, an unauthenticated attacker may consume
excessive resources on the Keystone, Nova or Cinder API servers,
resulting in a denial of service and potentially a crash
(CVE-2013-1664). Authenticated attackers may also leverage XML entities
to read the content of a local file on the Keystone API server
(CVE-2013-1665). This only affects servers with XML support enabled.

Note:
The vulnerabilities are actually in the various affected Python XML
libraries, but we provide OpenStack patches working around the issues.

Grizzly (development branch) fixes:
Nova: https://review.openstack.org/#/c/22309/
Cinder: https://review.openstack.org/#/c/22310/
Keystone: https://review.openstack.org/#/c/22315/

Folsom fixes:
Nova: https://review.openstack.org/#/c/22312/
Cinder: https://review.openstack.org/#/c/22311/
Keystone: https://review.openstack.org/#/c/22314/

Essex fixes:
Nova: https://review.openstack.org/#/c/22313/
Keystone: https://review.openstack.org/#/c/22316/

References:
https://bugs.launchpad.net/nova/+bug/1100282
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-1664
https://bugs.launchpad.net/keystone/+bug/1100279
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-1665