Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 08 Aug 2013 18:10:02 +0200
From: Thierry Carrez <thierry@...nstack.org>
To: Open Source Security <oss-security@...ts.openwall.com>
Subject: [OSSA 2013-023] Denial of Service using XML entities in Nova/Cinder
 extensions (CVE-2013-4179, CVE-2013-4202)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

OpenStack Security Advisory: 2013-023
CVE: CVE-2013-4179, CVE-2013-4202
Date: August 8, 2013
Title: Denial of Service using XML entities in Nova/Cinder extensions
Reporter: Grant Murphy (Red Hat)
Products: Nova, Cinder
Affects: Grizzly and later

Description:
Grant Murphy from Red Hat reported that vulnerabilities in XML request
parsers were not fully patched in OSSA 2013-004. By leveraging XML
entity expansion in specific extensions, an unauthenticated attacker may
still consume excessive resources on the Nova (CVE-2013-4179) or Cinder
(CVE-2013-4202) API servers, resulting in a denial of service and
potentially a crash. Only Nova setups making use of the security group
extension in Grizzly are affected. Only Cinder setups making use of the
backups or volume transfer API extension in Grizzly are affected.

Havana (development branch) fixes:
Nova: https://review.openstack.org/40879
Cinder: https://review.openstack.org/40881

Grizzly fixes:
Nova: https://review.openstack.org/40880
Cinder: https://review.openstack.org/40883

Note: The Nova and Cinder Grizzly fixes will be included in the upcoming
2013.1.3 stable release.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4179
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4202
https://launchpad.net/bugs/1190229

Regards,

- -- 
Thierry Carrez
OpenStack Vulnerability Management Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBCAAGBQJSA8LaAAoJEFB6+JAlsQQjQUsQAK6nFmxXNqX8f5toY7eF+f8Q
1wx9w5/TQQTAuiBwTJvmLm3dSluE+llo9bbb9Sce3hc5MAJKcaZq4FO9DDk0W5vs
oQSLP5EzcSocjVK4CW523y1fYHViiac566cfCp32il5FMFPrmZ0qGmIhs60r+bUa
FzjIZXsXGX8o+c9JYcaPt9B9pYp6bjriicSVEexyic5yBcfAmS2yR089waVoloSo
829R6CbMfbWqtusXzUrgfWj1jQI7tf4uu8Q5xmP+TOQCiUd4fQLFFlvIv7kjvWC4
4Gjx1rzf3sFAPsrWuTKBHsZ6wX2yIKf5rNuPo0K0bvPn8XSAwrcY4fkXCrECLz4y
7bbn/oD2Bkou26V09zMtqjE5pgmVvYi1daEZifn/OMyzh0jr5CP8bXoR6UEHcX7v
FY94el6JWoJTobU+ltehSO8pliHTv2CtuyWYI32sQMXyF6KHuKuLKeT7EC3VfZ55
YSzY/XRjORiRQOItZtRq2mY62MSYA0OFm4Lpp9cHR6S25Nh+et7JBPmjkcgQsDTm
IRhd61Rv7PJ5maH6bM5Oip8djFsh4+H0Bi8t0kJPdo+XQKhk8Je6c5adlvHh0C/V
m3ngEfkvyHcFooezpqStj2EIq3qUltkarPw5U1Z8xxLEc40tI+Z+KWXof1xWLyhG
ysDHEU9BAjE8N9BA/rvN
=03Ze
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.