Bug 1011836 - (CVE-2015-8978) VUL-0: CVE-2015-8978: perl-SOAP-Lite: XML exponential entity expansion denial-of-service
(CVE-2015-8978)
VUL-0: CVE-2015-8978: perl-SOAP-Lite: XML exponential entity expansion denial...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/176689/
CVSSv2:RedHat:CVE-2015-8978:4.3:(AV:N...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-11-23 11:05 UTC by Alexander Bergmann
Modified: 2016-12-11 21:21 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2016-11-23 11:05:50 UTC
rh#1397731

In Soap Lite (aka the SOAP::Lite extension for Perl) 1.14 and earlier,
an example attack consists of defining 10 or more XML entities, each
defined as consisting of 10 of the previous entity, with the document
consisting of a single instance of the largest entity, which expands to
one billion copies of the first entity. The amount of computer memory
used for handling an external SOAP call would likely exceed that
available to the process parsing the XML.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1397731
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8978
http://www.cvedetails.com/cve/CVE-2015-8978/
http://cpansearch.perl.org/src/PHRED/SOAP-Lite-1.20/Changes
Comment 1 Alexander Bergmann 2016-11-23 11:07:35 UTC
This needs to be fixed in openSUSE:Leap:42.1 and 42.2.

The SDKs for 11-SP4 and 12-SP2 are also affected.
Comment 2 Swamp Workflow Management 2016-11-23 23:01:08 UTC
bugbot adjusting priority
Comment 3 Petr Gajdos 2016-11-24 08:52:20 UTC
(In reply to Alexander Bergmann from comment #0)
> rh#1397731
> 
> In Soap Lite (aka the SOAP::Lite extension for Perl) 1.14 and earlier,
                                                       ^^^^^^^^^^^^^^^^^

(In reply to Alexander Bergmann from comment #1)
> This needs to be fixed in openSUSE:Leap:42.1 and 42.2.
> 
> The SDKs for 11-SP4 and 12-SP2 are also affected.

Given we have version 1.20 in Tumbleweed and 42.2 and version 1.19 in 42.1 and 12sp2, I tend to believe only 11 is affected (code applies there).
Comment 4 Petr Gajdos 2016-11-24 08:54:17 UTC
Package submitted.
Comment 6 Swamp Workflow Management 2016-12-08 13:07:56 UTC
SUSE-SU-2016:3052-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1011836
CVE References: CVE-2015-8978
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    perl-SOAP-Lite-0.710.08-3.1
Comment 7 Marcus Meissner 2016-12-11 20:06:30 UTC
seems done