oss-sec mailing list archives
Re: CVE request: "billion laughs" attack against Apache APR
From: Eygene Ryabinkin <rea-sec () codelabs ru>
Date: Sat, 6 Jun 2009 20:00:20 +0400
Good day. Wed, Jun 03, 2009 at 04:07:43PM +0100, Joe Orton wrote:
The expat XML parser is vulnerable to the "billion laughs" entity expansion attack. This results in a denial of service vulnerability in any network-facing service which uses the Apache "APR-util" library's wrapper interface for expat to parse untrusted XML documents. The Apache httpd WebDAV module "mod_dav" is such a service. References: http://milw0rm.com/exploits/8842 http://marc.info/?l=apr-dev&m=124396021826125&w=2 http://svn.apache.org/viewvc?rev=781403&view=rev Affected versions: APR-util <= 1.3.4
Fri, Jun 05, 2009 at 08:21:16PM -0400, Josh Bressers wrote:
So there's another apr-util flaw. The initial mail makes it sound pretty scary, but it's really not that bad. You can find all the scary details here: https://bugzilla.redhat.com/show_bug.cgi?id=504390
Please, note that these two issues and CVE-2009-0023 seem to be applicable to Apache 2.2.11 and Apache 2.0.63 (latest 2.x versions), since they have bundled apr-util inside. At least both have the vulnerable code and I had verified the "billion laughs" attack against Apache 2.2.11 with Subversion mod_dav_svn that uses internal Apache libaprutil. OS for testing was FreeBSD, but I think that others are affected as well. CC'ing Apache security contacts in case they aren't informed about this issue yet. Folks, may be I am wrong in my assertions? -- Eygene
Current thread:
- CVE request: "billion laughs" attack against Apache APR Joe Orton (Jun 03)
- Re: CVE request: "billion laughs" attack against Apache APR Eygene Ryabinkin (Jun 06)
- Re: CVE request: "billion laughs" attack against Apache APR Joe Orton (Jun 11)
- Re: CVE request: "billion laughs" attack against Apache APR Steven M. Christey (Jun 06)
- Re: CVE request: "billion laughs" attack against Apache APR Eygene Ryabinkin (Jun 06)