Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <51239F86.60806@openstack.org>
Date: Tue, 19 Feb 2013 16:51:34 +0100
From: Thierry Carrez <thierry@...nstack.org>
To: "openstack@...ts.launchpad.net" <openstack@...ts.launchpad.net>, 
 oss-security@...ts.openwall.com, openstack-announce@...ts.openstack.org
Subject: [OSSA 2013-004] Information leak and Denial of Service using XML
 entities (CVE-2013-1664, CVE-2013-1665)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

OpenStack Security Advisory: 2013-004
CVE: CVE-2013-1664, CVE-2013-1665
Date: February 19, 2013
Title: Information leak and Denial of Service using XML entities
Reporter: Jonathan Murray (NCC Group), Joshua Harlow (Yahoo!), Stuart
Stent
Products: Keystone, Nova, Cinder (see note)
Affects: All versions

Description:
Jonathan Murray from NCC Group, Joshua Harlow from Yahoo! and Stuart
Stent independently reported a vulnerabilities in the parsing of XML
requests in Python XML libraries used in Keystone, Nova and Cinder. By
using entities in XML requests, an unauthenticated attacker may consume
excessive resources on the Keystone, Nova or Cinder API servers,
resulting in a denial of service and potentially a crash
(CVE-2013-1664). Authenticated attackers may also leverage XML entities
to read the content of a local file on the Keystone API server
(CVE-2013-1665). This only affects servers with XML support enabled.

Note:
The vulnerabilities are actually in the various affected Python XML
libraries, but we provide OpenStack patches working around the issues.

Grizzly (development branch) fixes:
Nova: https://review.openstack.org/#/c/22309/
Cinder: https://review.openstack.org/#/c/22310/
Keystone: https://review.openstack.org/#/c/22315/

Folsom fixes:
Nova: https://review.openstack.org/#/c/22312/
Cinder: https://review.openstack.org/#/c/22311/
Keystone: https://review.openstack.org/#/c/22314/

Essex fixes:
Nova: https://review.openstack.org/#/c/22313/
Keystone: https://review.openstack.org/#/c/22316/

References:
https://bugs.launchpad.net/nova/+bug/1100282
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-1664
https://bugs.launchpad.net/keystone/+bug/1100279
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-1665

- -- 
Thierry Carrez (ttx)
OpenStack Vulnerability Management Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBCAAGBQJRI5+DAAoJEFB6+JAlsQQj2fQQALLE9GEOIRGcj9gXXQ5mDS3l
/CWI6ljTlVWxXy143lAUbkpvW0AHx0S6wVU38Hh/wS6D3u4JpxC2lERcI6KB7XyF
R6F7qWzdwulh+0GX9n+8rO0qLVkqhB6hn3bCVUKu20N+cromJHsSgzDU6lvVlUAU
dwc9eFWmg2d7bpESUdltDo9yEnz0jXxzOpCseC5/zfSo5RnJU1Oi4ZaiXPzbRqqb
bQzKRGevLddHAMKJnKrYvpg5471LQ8bC7rMYwq44c4HH0+ZhwQVgwyBxdeyNGISI
kJ1LhTGlDdTN1SBV3QDc0//pai2tQtcY96sQJ+1FWl9wrAMft+hSyCmRlsX2O4O1
zbN/iUEVmZRP1/JuD8tk+TDUlBdTSZai3pV9bVlRQ7GWUKSreDI38T87d+ZZe0Uz
f63hafBSKGqQ/GD8s5HnJopvGK1vY2zgiNuORJc5PH8iPo/75YVRM3Ct6lFwooIe
uPow6AbydISEVUbsK1AcLESQ6Uq4CufsNUColi1o+2PRlc2/Jt/ZXaFx2LfsE6ka
m6cXJMIZZ6Mrz6ogtYnEYDkzPPQ7/oLXzVxoS3NCoh/LLxs838eqiAZ+mVVboAaO
LOARFrqYw8wfg45JLqQ2mb/Oe10hPZdMwc+lQa2ccDYLBJXkrMKz7vHW8W47bM1H
i5g9RJ8pkA5wFKxBgfKj
=pNuW
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.