Unrestricted entity expansion can lead to a DoS vulnerability in REXML, like “Entity expansion DoS vulnerability in REXML (XML bomb, CVE-2013-1821)” and “CVE-2014-8080: Parameter Entity expansion DoS vulnerability in REXML”. This vulnerability has been assigned the CVE identifier CVE-2014-8090. We strongly recommend to upgrade ruby.
This is an additional fix for CVE-2013-1821 and CVE-2014-8080. The previous patches fixed recursive expansions in a number of places and total size created Strings. However, they did not take into account the former limit used for entity expansion. 100% CPU utilization can occur as a result of recursive expansion with an empty String. When reading text nodes from an XML document, the REXML parser can be coerced in to allocating extremely large string objects which can consume all of the memory on a machine, causing a denial of service.
Impacted code will look something like this:
require 'rexml/document'
xml = <<XML
# ENTITY expansion vector
]>
XML
p REXML::Document.new(xml)
All users running an affected release should either upgrade or use one of the workarounds immediately.
If you cannot upgrade Ruby, use this monkey patch as a workaround:
class REXML::Document
def document
self
end
end
Thanks to Tomas Hoger for reporting this issue.
Posted by usa on 13 Nov 2014