Vulnerabilities > CVE-2016-8734 - Resource Exhaustion vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
LOW Confidentiality impact
NONE Integrity impact
NONE Availability impact
HIGH Summary
Apache Subversion's mod_dontdothat module and HTTP clients 1.4.0 through 1.8.16, and 1.9.0 through 1.9.4 are vulnerable to a denial-of-service attack caused by exponential XML entity expansion. The attack can cause the targeted process to consume an excessive amount of CPU resources or memory.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- XML Ping of the Death An attacker initiates a resource depletion attack where a large number of small XML messages are delivered at a sufficiently rapid rate to cause a denial of service or crash of the target. Transactions such as repetitive SOAP transactions can deplete resources faster than a simple flooding attack because of the additional resources used by the SOAP protocol and the resources necessary to process SOAP messages. The transactions used are immaterial as long as they cause resource utilization on the target. In other words, this is a normal flooding attack augmented by using messages that will require extra processing on the target.
- XML Entity Expansion An attacker submits an XML document to a target application where the XML document uses nested entity expansion to produce an excessively large output XML. XML allows the definition of macro-like structures that can be used to simplify the creation of complex structures. However, this capability can be abused to create excessive demands on a processor's CPU and memory. A small number of nested expansions can result in an exponential growth in demands on memory.
- Inducing Account Lockout An attacker leverages the security functionality of the system aimed at thwarting potential attacks to launch a denial of service attack against a legitimate system user. Many systems, for instance, implement a password throttling mechanism that locks an account after a certain number of incorrect log in attempts. An attacker can leverage this throttling mechanism to lock a legitimate user out of their own account. The weakness that is being leveraged by an attacker is the very security feature that has been put in place to counteract attacks.
- Violating Implicit Assumptions Regarding XML Content (aka XML Denial of Service (XDoS)) XML Denial of Service (XDoS) can be applied to any technology that utilizes XML data. This is, of course, most distributed systems technology including Java, .Net, databases, and so on. XDoS is most closely associated with web services, SOAP, and Rest, because remote service requesters can post malicious XML payloads to the service provider designed to exhaust the service provider's memory, CPU, and/or disk space. The main weakness in XDoS is that the service provider generally must inspect, parse, and validate the XML messages to determine routing, workflow, security considerations, and so on. It is exactly these inspection, parsing, and validation routines that XDoS targets. There are three primary attack vectors that XDoS can navigate Target CPU through recursion: attacker creates a recursive payload and sends to service provider Target memory through jumbo payloads: service provider uses DOM to parse XML. DOM creates in memory representation of XML document, but when document is very large (for example, north of 1 Gb) service provider host may exhaust memory trying to build memory objects. XML Ping of death: attack service provider with numerous small files that clog the system. All of the above attacks exploit the loosely coupled nature of web services, where the service provider has little to no control over the service requester and any messages the service requester sends.
Nessus
NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-2504.NASL description According to the versions of the subversion packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Apache Subversion last seen 2020-05-08 modified 2019-12-04 plugin id 131657 published 2019-12-04 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/131657 title EulerOS 2.0 SP2 : subversion (EulerOS-SA-2019-2504) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3388-1.NASL description Joern Schneeweisz discovered that Subversion did not properly handle host names in last seen 2020-06-01 modified 2020-06-02 plugin id 102424 published 2017-08-11 reporter Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102424 title Ubuntu 14.04 LTS / 16.04 LTS / 17.04 : subversion vulnerabilities (USN-3388-1) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_AC256985B6A911E6A3BF206A8A720317.NASL description The Apache Software Foundation reports : The mod_dontdothat module of subversion and subversion clients using http(s):// are vulnerable to a denial-of-service attack, caused by exponential XML entity expansion. The attack targets XML parsers causing targeted process to consume excessive amounts of resources. The attack is also known as the last seen 2020-06-01 modified 2020-06-02 plugin id 95409 published 2016-11-30 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/95409 title FreeBSD : subversion -- Unrestricted XML entity expansion in mod_dontdothat and Subversionclients using http(s) (ac256985-b6a9-11e6-a3bf-206a8a720317) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-2669.NASL description According to the versions of the subversion packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Apache Subversion last seen 2020-05-08 modified 2019-12-18 plugin id 132204 published 2019-12-18 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/132204 title EulerOS 2.0 SP3 : subversion (EulerOS-SA-2019-2669) NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2017-794.NASL description It was discovered that Subversion last seen 2020-06-01 modified 2020-06-02 plugin id 97024 published 2017-02-07 reporter This script is Copyright (C) 2017-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/97024 title Amazon Linux AMI : subversion / mod_dav_svn (ALAS-2017-794) NASL family SuSE Local Security Checks NASL id OPENSUSE-2016-1435.NASL description This update for subversion fixes the following issues : - Version update to 1.9.5 : - Unrestricted XML entity expansion in mod_dontdothat and Subversion clients using http(s):// (boo#1011552, CVE-2016-8734) - Client-side bugfixes : - fix accessing non-existent paths during reintegrate merge (r1766699 et al) - fix handling of newly secured subdirectories in working copy (r1724448) - info: remove trailing whitespace in --show-item=revision (issue #4660) - fix recording wrong revisions for tree conflicts (r1734106) - gpg-agent: improve discovery of gpg-agent sockets (r1766327) - gpg-agent: fix file descriptor leak (r1766323) - resolve: fix --accept=mine-full for binary files (issue #4647) - merge: fix possible crash (issue #4652) - resolve: fix possible crash (r1748514) - fix potential crash in Win32 crash reporter (r1663253 et al) - Server-side bugfixes : - fsfs: fix last seen 2020-06-05 modified 2016-12-12 plugin id 95707 published 2016-12-12 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/95707 title openSUSE Security Update : subversion (openSUSE-2016-1435) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-2550.NASL description According to the versions of the subversion packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Integer overflow in util.c in mod_dav_svn in Apache Subversion 1.7.x, 1.8.x before 1.8.15, and 1.9.x before 1.9.3 allows remote authenticated users to cause a denial of service (subversion server crash or memory consumption) and possibly execute arbitrary code via a skel-encoded request body, which triggers an out-of-bounds read and heap-based buffer overflow.(CVE-2015-5343) - The canonicalize_username function in svnserve/cyrus_auth.c in Apache Subversion before 1.8.16 and 1.9.x before 1.9.4, when Cyrus SASL authentication is used, allows remote attackers to authenticate and bypass intended access restrictions via a realm string that is a prefix of an expected repository realm string.(CVE-2016-2167) - The req_check_access function in the mod_authz_svn module in the httpd server in Apache Subversion before 1.8.16 and 1.9.x before 1.9.4 allows remote authenticated users to cause a denial of service (NULL pointer dereference and crash) via a crafted header in a (1) MOVE or (2) COPY request, involving an authorization check.(CVE-2016-2168) - Apache Subversion last seen 2020-05-08 modified 2019-12-09 plugin id 131824 published 2019-12-09 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/131824 title EulerOS 2.0 SP5 : subversion (EulerOS-SA-2019-2550) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-3932.NASL description Several problems were discovered in Subversion, a centralised version control system. - CVE-2016-8734 (jessie only) Subversion last seen 2020-06-01 modified 2020-06-02 plugin id 102372 published 2017-08-11 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102372 title Debian DSA-3932-1 : subversion - security update NASL family Fedora Local Security Checks NASL id FEDORA_2017-C629F16F6C.NASL description This update includes the latest stable release of _Apache Subversion_, version **1.9.5**. #### Client-side bugfixes : - fix accessing non-existent paths during reintegrate merge - fix handling of newly secured subdirectories in working copy - info: remove trailing whitespace in --show-item=revision ([issue 4660](http://subversion.tigris.org/issues/show_bug.cgi?i d=4660)) - fix recording wrong revisions for tree conflicts - gpg-agent: improve discovery of gpg-agent sockets - gpg-agent: fix file descriptor leak - resolve: fix --accept=mine-full for binary files ([issue 4647](http://subversion.tigris.org/issues/show_bug.cgi?i d=4647)) - merge: fix possible crash ([issue 4652](http://subversion.tigris.org/issues/show_bug.cgi?i d=4652)) - resolve: fix possible crash - fix potential crash in Win32 crash reporter #### Server-side bugfixes : - fsfs: fix last seen 2020-06-05 modified 2017-01-10 plugin id 96360 published 2017-01-10 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96360 title Fedora 25 : subversion (2017-c629f16f6c) NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2017-1_0-0093.NASL description An update of 'linux', 'krb5', 'subversion', 'apr', 'ncurses' packages of Photon OS has been released. last seen 2019-02-21 modified 2019-02-07 plugin id 111903 published 2018-08-17 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=111903 title Photon OS 1.0: Apr / Krb5 / Linux / Ncurses / Subversion PHSA-2017-1.0-0093 (deprecated) NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2017-1_0-0093_SUBVERSION.NASL description An update of the subversion package has been released. last seen 2020-03-17 modified 2019-02-07 plugin id 121782 published 2019-02-07 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121782 title Photon OS 1.0: Subversion PHSA-2017-1.0-0093
References
- http://www.debian.org/security/2017/dsa-3932
- http://www.debian.org/security/2017/dsa-3932
- http://www.securityfocus.com/bid/94588
- http://www.securityfocus.com/bid/94588
- http://www.securitytracker.com/id/1037361
- http://www.securitytracker.com/id/1037361
- https://lists.apache.org/thread.html/7798f5cda1b2a3c70db4be77694b12dec8fcc1a441b00009d44f0e09%40%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/7798f5cda1b2a3c70db4be77694b12dec8fcc1a441b00009d44f0e09%40%3Cannounce.apache.org%3E
- https://subversion.apache.org/security/CVE-2016-8734-advisory.txt
- https://subversion.apache.org/security/CVE-2016-8734-advisory.txt
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/security-alerts/cpuoct2020.html