|
Message-ID: <5203C2DA.1020806@openstack.org> Date: Thu, 08 Aug 2013 18:10:02 +0200 From: Thierry Carrez <thierry@...nstack.org> To: Open Source Security <oss-security@...ts.openwall.com> Subject: [OSSA 2013-023] Denial of Service using XML entities in Nova/Cinder extensions (CVE-2013-4179, CVE-2013-4202) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 OpenStack Security Advisory: 2013-023 CVE: CVE-2013-4179, CVE-2013-4202 Date: August 8, 2013 Title: Denial of Service using XML entities in Nova/Cinder extensions Reporter: Grant Murphy (Red Hat) Products: Nova, Cinder Affects: Grizzly and later Description: Grant Murphy from Red Hat reported that vulnerabilities in XML request parsers were not fully patched in OSSA 2013-004. By leveraging XML entity expansion in specific extensions, an unauthenticated attacker may still consume excessive resources on the Nova (CVE-2013-4179) or Cinder (CVE-2013-4202) API servers, resulting in a denial of service and potentially a crash. Only Nova setups making use of the security group extension in Grizzly are affected. Only Cinder setups making use of the backups or volume transfer API extension in Grizzly are affected. Havana (development branch) fixes: Nova: https://review.openstack.org/40879 Cinder: https://review.openstack.org/40881 Grizzly fixes: Nova: https://review.openstack.org/40880 Cinder: https://review.openstack.org/40883 Note: The Nova and Cinder Grizzly fixes will be included in the upcoming 2013.1.3 stable release. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4179 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4202 https://launchpad.net/bugs/1190229 Regards, - -- Thierry Carrez OpenStack Vulnerability Management Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iQIcBAEBCAAGBQJSA8LaAAoJEFB6+JAlsQQjQUsQAK6nFmxXNqX8f5toY7eF+f8Q 1wx9w5/TQQTAuiBwTJvmLm3dSluE+llo9bbb9Sce3hc5MAJKcaZq4FO9DDk0W5vs oQSLP5EzcSocjVK4CW523y1fYHViiac566cfCp32il5FMFPrmZ0qGmIhs60r+bUa FzjIZXsXGX8o+c9JYcaPt9B9pYp6bjriicSVEexyic5yBcfAmS2yR089waVoloSo 829R6CbMfbWqtusXzUrgfWj1jQI7tf4uu8Q5xmP+TOQCiUd4fQLFFlvIv7kjvWC4 4Gjx1rzf3sFAPsrWuTKBHsZ6wX2yIKf5rNuPo0K0bvPn8XSAwrcY4fkXCrECLz4y 7bbn/oD2Bkou26V09zMtqjE5pgmVvYi1daEZifn/OMyzh0jr5CP8bXoR6UEHcX7v FY94el6JWoJTobU+ltehSO8pliHTv2CtuyWYI32sQMXyF6KHuKuLKeT7EC3VfZ55 YSzY/XRjORiRQOItZtRq2mY62MSYA0OFm4Lpp9cHR6S25Nh+et7JBPmjkcgQsDTm IRhd61Rv7PJ5maH6bM5Oip8djFsh4+H0Bi8t0kJPdo+XQKhk8Je6c5adlvHh0C/V m3ngEfkvyHcFooezpqStj2EIq3qUltkarPw5U1Z8xxLEc40tI+Z+KWXof1xWLyhG ysDHEU9BAjE8N9BA/rvN =03Ze -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.