[openstack-announce] [OSSA 2013-023] Denial of Service using XML entities in Nova/Cinder extensions (CVE-2013-4179, CVE-2013-4202)

8 Aug 2013

      -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

OpenStack Security Advisory: 2013-023
CVE: CVE-2013-4179, CVE-2013-4202
Date: August 8, 2013
Title: Denial of Service using XML entities in Nova/Cinder extensions
Reporter: Grant Murphy (Red Hat)
Products: Nova, Cinder
Affects: Grizzly and later

Description:
Grant Murphy from Red Hat reported that vulnerabilities in XML request
parsers were not fully patched in OSSA 2013-004. By leveraging XML
entity expansion in specific extensions, an unauthenticated attacker may
still consume excessive resources on the Nova (CVE-2013-4179) or Cinder
(CVE-2013-4202) API servers, resulting in a denial of service and
potentially a crash. Only Nova setups making use of the security group
extension in Grizzly are affected. Only Cinder setups making use of the
backups or volume transfer API extension in Grizzly are affected.

Havana (development branch) fixes:
Nova: https://review.openstack.org/40879
Cinder: https://review.openstack.org/40881

Grizzly fixes:
Nova: https://review.openstack.org/40880
Cinder: https://review.openstack.org/40883

Note: The Nova and Cinder Grizzly fixes will be included in the upcoming
2013.1.3 stable release.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4179
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4202
https://launchpad.net/bugs/1190229

Regards,

- -- 
Thierry Carrez
OpenStack Vulnerability Management Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBCAAGBQJSA8K6AAoJEFB6+JAlsQQj05EP/Rq9FXVZJCNfXgCBEpeSgrh/
kaglidx9JMqnvxJd92M+KFHZrZgBazwH9ZwsD1i4zs64XP1KH2UbvXzlwfaCb3M0
5/9cbqocyHJAeOFpYPvQCz/TmsHVH7CgftNL474AGixyTXfaH745/zveABNIYhou
aEpq3CxHOcNycCuPYj4FgcXZ7lf8Eu7vaVsNhXmk/qgWo+l6N4LYznHf6UxHMnHf
fB7+ZcjMCZtfZHO/9LRmROiprHHX9CprWtTZX+RUNjTa38VzyEetXG50zCEIiI/S
wsxAUSOA6tremYLeuNXZwRawLdpolzvhEt04GITa7AC8udnjXkvHyA1VUcAtysMT
SP5abGWdKMibSVwOmJ6+YLVMMXpTn9ww5LD2yJrcRy+xXyD9k2ofq8VMY9P/DJ2w
kEEEQaMtmmqYqoVZc/rLRjBNiGgvD58hxYtLEVMShgbkduAUgfWmBnsZ7zgbzY9X
ZDUN3wYkEQk6UZepa4g4mIjTFM0PkqXNoCOl8q7xNpLNYpmbF5rheIeE1HjIglGq
hbCWzxDJZtKjvd2MqtYlZGfTgjpPA6tEDC3vto8nfsHQqvZUxv/OKg6KSCIq/6UA
wxUD952GPmhImN+UVYiFMuNufufb0EI/EkVsmPJm54siOeq/ZOYvEc44M6K++7ve
3MySqda3xPZMaZn8KTFz
=XFeJ
-----END PGP SIGNATURE-----