[OSSA 2013-023] Potential unsafe XML usage (CVE-2013-4179, CVE-2013-4202)

Analysis in Nova:

nova/nova/virt/libvirt/driver.py
What's getting parsed is XML from libvirt, not user-provided XML requests. So that's safe.

nova/nova/virt/xenapi/vm_utils.py
What's getting parsed is XML from XenServer, not user-provided XML requests, so that's safe.

nova/nova/api/openstack/compute/contrib/security_groups.py
While most calls use xmlutil.safe_minidom_parse_string (which is safe), there is one call in _extend_servers that still uses minidom.parseString(req.body) and therefore looks vulnerable.

nova/nova/api/openstack/compute/contrib/security_group_default_rules.py
Uses pure minidom in its XML deserializer, so probably vulnerable.

Quantum analysis:
My understanding is that million laughs/quadratic blowup needs DTD evaluation, and the ProtectedXMLParser protects against reading an included DTD, so that sounds safe.

I agree that more consistency across the board would be welcome though.

Looks vulnerable to me (contributed backups API extension)

Adding nova-core and cinder-core for help patching

Any patches should also include test case which validates that no code in GIT uses the vulnerable APIs, so we don't regress in this yet again.

We should push a minimal patch to fix the vulnerabilities first, that we can backport to stable branches.
Then for Havana and beyond we should push defusedxml parsers across the board.

A patch for nova is attached.

Could we have a patch for Cinder ?

cinder patch here

Looks good, could we have a cinder-core pre-approval here ? Patch is trivial so one should be enough

We need nova-core pre-approval on Mikal's patch too.

+2 On nova patch

Proposed impact description:

Title: Denial of Service using XML entities in some Nova and Cinder extensions
Reporter: Grant Murphy (Red Hat)
Products: Nova, Cinder
Affects: Grizzly

Description:
Grant Murphy from Red Hat reported that vulnerabilities in XML request parsers were not fully patched in OSSA 2013-004. By leveraging XML entity expansion in specific extensions, an unauthenticated attacker may still consume excessive resources on the Nova or Cinder API servers, resulting in a denial of service and potentially a crash. Only Nova setups making use of the security group extension in Grizzly are affected. Only Cinder setups making use of the backups or volume transfer API extension in Grizzly are affected.

The affected code was present in Grizzly but not in Folsom.

Thierry's impact description in comment #14 looks sane to me.

Sorry, Thierry's impact description in comment #13 looks sane to me.

+2 on the cinder patch.

CVE requested, no answer from Kurt yet

Sent CVE request again

Refreshed nova/havana patch

nova/grizzly patch backport

cinder/grizzly patch backport

cinder/master/gate-devstack-vm-full: PASS
cinder/grizzly/gate-devstack-vm-cinder: PASS

more tests tomorrow.

Nova tests fail with:

File "/opt/stack/new/nova/nova/api/openstack/compute/contrib/security_groups.py", line 33, in <module>
    from nova.openstack.common import xmlutils
ImportError: cannot import name xmlutils

missing a file in the grizzly backport. New version attached

nova/master/gate-devstack-vm-full: PASS
nova/grizzly/gate-devstack-vm-full: PASS

Version that doesn't fail pep8

Version that doesn't fail pep8

cinder/master/py27: PASS
cinder/master/pep8: PASS
nova/grizzly/py27: PASS
nova/grizzly/pep8: PASS
nova/master/py27: PASS
nova/master/pep8: PASS

Sent to downstream stakeholders
Proposed public disclosure date/time: Thursday, August 8, 1500UTC.

From Kurt:

Please use CVE-2013-4179 for Denial of Service using XML entities in
Nova extensions

Please use CVE-2013-4202 for Denial of Service using XML entities in
Cinder extensions

Fix proposed to branch: master
Review: https://review.openstack.org/40881

Fix proposed to branch: stable/grizzly
Review: https://review.openstack.org/40883

Reviewed: https://review.openstack.org/40881
Committed: http://github.com/openstack/cinder/commit/4ad95dba4fccbbc0df923dea0dc9e5c3ac9f4cc2
Submitter: Jenkins
Branch: master

commit 4ad95dba4fccbbc0df923dea0dc9e5c3ac9f4cc2
Author: Thierry Carrez <email address hidden>
Date: Thu Aug 8 12:13:52 2013 +0200

    Use utils.safe_minidom_parse_string in extensions

    Use utils.safe_minidom_parse_string in extensions that were still
    using potentially-unsafe minidom.

    Fixes bug 1190229

    Change-Id: I43afb2e188bbea99ea30fe6cb2eb1aeedc4ddfd4

OSSA 2013-023

Reviewed: https://review.openstack.org/40883
Committed: http://github.com/openstack/cinder/commit/2023eecc4b1a35daf42a64fa01967ed12c7d017b
Submitter: Jenkins
Branch: stable/grizzly

commit 2023eecc4b1a35daf42a64fa01967ed12c7d017b
Author: John Griffith <email address hidden>
Date: Thu Aug 8 12:10:30 2013 +0200

    Use utils.safe_minidom_parse_string in extensions

    Use utils.safe_minidom_parse_string in extensions that were still
    directly using potentially-unsafe minidom.

    Grizzly backport of John Griffith's master patch.

    Fixes bug 1190229

    Change-Id: I43afb2e188bbea99ea30fe6cb2eb1aeedc4ddfd4

I will be out of the office starting 2013-09-05 and will not return until
2013-09-15.

I will be on my marriage leave from 9/5 to 9/15, for any urgent issue
please call me before 9/7.

For daily work, please ask my scrum master Zhu Zhu for help.
For glance issue, please ask glance SME Feilong Wang for help.
For defect report, there will be no report next week.