[OSSA 2013-023] Denial of Service using XML entities in Nova/Cinder extensions (CVE-2013-4179, CVE-2013-4202)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
OpenStack Security Advisory: 2013-023 CVE: CVE-2013-4179, CVE-2013-4202 Date: August 8, 2013 Title: Denial of Service using XML entities in Nova/Cinder extensions Reporter: Grant Murphy (Red Hat) Products: Nova, Cinder Affects: Grizzly and later
Description: Grant Murphy from Red Hat reported that vulnerabilities in XML request parsers were not fully patched in OSSA 2013-004. By leveraging XML entity expansion in specific extensions, an unauthenticated attacker may still consume excessive resources on the Nova (CVE-2013-4179) or Cinder (CVE-2013-4202) API servers, resulting in a denial of service and potentially a crash. Only Nova setups making use of the security group extension in Grizzly are affected. Only Cinder setups making use of the backups or volume transfer API extension in Grizzly are affected.
Havana (development branch) fixes: Nova: https://review.openstack.org/40879 Cinder: https://review.openstack.org/40881
Grizzly fixes: Nova: https://review.openstack.org/40880 Cinder: https://review.openstack.org/40883
Note: The Nova and Cinder Grizzly fixes will be included in the upcoming 2013.1.3 stable release.
References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4179 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4202 https://launchpad.net/bugs/1190229
Regards,
- -- Thierry Carrez OpenStack Vulnerability Management Team
participants (1)
-
Thierry Carrez