Posted by usa on 22 Feb 2013
Unrestricted entity expansion can lead to a DoS vulnerability in REXML. This vulnerability has been assigned the CVE identifier CVE-2013-1821. We strongly recommend to upgrade ruby.
When reading text nodes from an XML document, the REXML parser can be coerced in to allocating extremely large string objects which can consume all of the memory on a machine, causing a denial of service.
Impacted code will look something like this:
When the `text` method is called, entities will be expanded. An attacker can send a relatively small XML document that, when the entities are resolved, will consume extreme amounts of memory on the target system.
Note that this attack is similar to, but different from the Billion Laughs attack. This is also related to CVE-2013-1664 of Python.
All users running an affected release should either upgrade or use one of the workarounds immediately.
If you cannot upgrade Ruby, use this monkey patch as a workaround:
This monkey patch will limit the size of the entity substitutions to 10k per node. REXML already defaults to only allow 10000 entity substitutions per document, so the maximum amount of text that can be generated by entity substitution will be around 98 megabytes.
- All ruby 1.9 versions prior to ruby 1.9.3 patchlevel 392
- All ruby 2.0 versions prior to ruby 2.0.0 patchlevel 0
- prior to trunk revision 39384
Thanks to Ben Murphy for reporting this issue.
- Added about CVE number at 2013-03-11 07:45:00 (UTC)
- Originally published at 2013-02-22 12:00:00 (UTC)