Unrestricted entity expansion can lead to a DoS vulnerability in REXML, like
“Entity expansion DoS vulnerability in REXML (XML bomb, CVE-2013-1821)”
and “CVE-2014-8080: Parameter Entity expansion DoS vulnerability in REXML”.
This vulnerability has been assigned the CVE identifier
CVE-2014-8090.
We strongly recommend to upgrade Ruby.

Details

This is an additional fix for
CVE-2013-1821
and CVE-2014-8080.
The previous patches fixed recursive expansions in a number of places and
the total size of created Strings. However, they did not take into account the former
limit used for entity expansion. 100% CPU utilization can occur as a result
of recursive expansion with an empty String.
When reading text nodes from an XML document, the REXML parser can be coerced
into allocating extremely large string objects which can consume all of the
memory on a machine, causing a denial of service.

Impacted code will look something like this:

require 'rexml/document'

xml = <<XML
<!DOCTYPE root [
  # ENTITY expansion vector
]>
<cd></cd>
XML

p REXML::Document.new(xml)

All users running an affected release should either upgrade or use one
of the workarounds immediately.

Affected versions

• All Ruby 1.9 versions prior to Ruby 1.9.3 patchlevel 551
• All Ruby 2.0 versions prior to Ruby 2.0.0 patchlevel 598
• All Ruby 2.1 versions prior to Ruby 2.1.5
• prior to trunk revision 48402

Workarounds

If you cannot upgrade Ruby, use this monkey patch as a workaround:

class REXML::Document
  def document
    self
  end
end

Credits

Thanks to Tomas Hoger for reporting this issue.

History

• Originally published at 2014-11-13 12:00:00 UTC

Posted by usa on 13 Nov 2014