Eucalyptus
  1. Eucalyptus
  2. EUCA-5277

Walrus XML parsing allows document type declaration

    Details

    • Security:
      Yes
    • SLA:
      Not Applicable
    • Rank:
      9152
    • Damage Potential:
      57
    • Business Impact:
      0.84
    • Total Risk:
      47.88

      Description

      Walrus insecurely parses XML for some request messages (eg., bucket logging), this can be used to consume server resources resulting in a denial of service (such as using all memory or using up all available threads). The server logs may show out of memory errors when various threads fail (you would also observe high CPU usage for such an attack).

      This issue is originally reported by Steve Jones.

        Activity

        Hide
        Neil Soman added a comment -

        Ready for security review: team/storage/EUCA-2031

        Show
        Neil Soman added a comment - Ready for security review: team/storage/EUCA-2031
        Hide
        Neil Soman added a comment -

        commit c117ddb20a17da6acc4b99e05c99e24a66950cf1
        Author: Neil Soman <neil@eucalyptus.com>
        Date: Sat Mar 9 14:15:11 2013 -0800

        Disable DTD processing when parsing XML snippets.

        Get rid of unused XMLParser.

        Make sure that DocumentBuilder is used securely and defined only once.

        Show
        Neil Soman added a comment - commit c117ddb20a17da6acc4b99e05c99e24a66950cf1 Author: Neil Soman <neil@eucalyptus.com> Date: Sat Mar 9 14:15:11 2013 -0800 Disable DTD processing when parsing XML snippets. Get rid of unused XMLParser. Make sure that DocumentBuilder is used securely and defined only once.
        Hide
        Vika Felmetsger added a comment -

        I have reviewed and tested the security aspect of the fix and will spot check once packages are available.

        Show
        Vika Felmetsger added a comment - I have reviewed and tested the security aspect of the fix and will spot check once packages are available.
        Hide
        Aaron Withrow added a comment -

        3.2.2 has been released, moving this to Resolved.

        Show
        Aaron Withrow added a comment - 3.2.2 has been released, moving this to Resolved.

          People

          • Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development