480360 – (CVE-2013-4179) sys-cluster/cinder - sys-cluster/nova : Denial of Service using XML entities (CVE-2013-{4179,4202})

Bug 480360 (CVE-2013-4179) - sys-cluster/cinder - sys-cluster/nova : Denial of Service using XML entities (CVE-2013-{4179,4202})

Summary: sys-cluster/cinder - sys-cluster/nova : Denial of Service using XML entities ...

Status:	RESOLVED FIXED

Alias:	CVE-2013-4179

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial (vote)
Assignee:	Gentoo Security

URL:	http://www.openwall.com/lists/oss-sec...
Whiteboard:	~3 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2013-08-09 12:45 UTC by Agostino Sarubbo
Modified:	2013-09-17 22:51 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2013-08-09 12:45:36 UTC

From ${URL} :

OpenStack Security Advisory: 2013-023
CVE: CVE-2013-4179, CVE-2013-4202
Date: August 8, 2013
Title: Denial of Service using XML entities in Nova/Cinder extensions
Reporter: Grant Murphy (Red Hat)
Products: Nova, Cinder
Affects: Grizzly and later

Description:
Grant Murphy from Red Hat reported that vulnerabilities in XML request
parsers were not fully patched in OSSA 2013-004. By leveraging XML
entity expansion in specific extensions, an unauthenticated attacker may
still consume excessive resources on the Nova (CVE-2013-4179) or Cinder
(CVE-2013-4202) API servers, resulting in a denial of service and
potentially a crash. Only Nova setups making use of the security group
extension in Grizzly are affected. Only Cinder setups making use of the
backups or volume transfer API extension in Grizzly are affected.

Havana (development branch) fixes:
Nova: https://review.openstack.org/40879
Cinder: https://review.openstack.org/40881

Grizzly fixes:
Nova: https://review.openstack.org/40880
Cinder: https://review.openstack.org/40883

Note: The Nova and Cinder Grizzly fixes will be included in the upcoming
2013.1.3 stable release.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4179
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4202
https://launchpad.net/bugs/1190229



@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.

Comment 1 Matthew Thode ( prometheanfire ) archtester

2013-08-11 01:25:12 UTC

cinder and nova have been updated to 2013.1.3, all bad versions removed from tree, please close.

Comment 2 Matthew Thode ( prometheanfire ) archtester

2013-08-11 03:54:02 UTC

I'm removing myself as I see this as closable, re-add me if you don't think so.

Comment 3 Chris Reffett (RETIRED) gentoo-dev

2013-08-12 00:21:36 UTC

Okay, closing.

Comment 4 GLSAMaker/CVETool Bot gentoo-dev

2013-09-17 22:37:01 UTC

CVE-2013-4179 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4179):
  The security group extension in OpenStack Compute (Nova) Grizzly 2013.1.3,
  Havana before havana-3, and earlier allows remote attackers to cause a
  denial of service (resource consumption and crash) via an XML Entity
  Expansion (XEE) attack.  NOTE: this issue is due to an incomplete fix for
  CVE-2013-1664.

Comment 5 GLSAMaker/CVETool Bot gentoo-dev

2013-09-17 22:51:30 UTC

CVE-2013-4202 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4202):
  The (1) backup (api/contrib/backups.py) and (2) volume transfer
  (contrib/volume_transfer.py) APIs in OpenStack Cinder Grizzly 2013.1.3 and
  earlier allows remote attackers to cause a denial of service (resource
  consumption and crash) via an XML Entity Expansion (XEE) attack.  NOTE: this
  issue is due to an incomplete fix for CVE-2013-1664.