CVE-2012-0845: XML-RPC DoS

A denial of service flaw was found in the way Simple XML-RPC Server module of Python processed client connections, that were closed prior the complete request body has been received. A remote attacker could use this flaw to cause Python Simple XML-RPC based server process to consume excessive amount of CPU.

  • Disclosure date: 2012-02-13 (Python issue #14001 reported)

Fixed In

Python issue

CVE-2012-0845 Python v2.7.2 / v3.2.2 (SimpleXMLRPCServer): DoS (excessive CPU usage) by processing malformed XMLRPC / HTTP POST request.

  • Python issue: issue #14001
  • Creation date: 2012-02-13
  • Reporter: Jan Lieskovsky

CVE-2012-0845

SimpleXMLRPCServer.py in SimpleXMLRPCServer in Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an XML-RPC POST request that contains a smaller amount of data than specified by the Content-Length header.

Timeline

Timeline using the disclosure date 2012-02-13 as reference:

  • 2012-02-13: Python issue #14001 reported by Jan Lieskovsky
  • 2012-02-18 (+5 days): commit 66f3cc6
  • 2012-02-18 (+5 days): commit ec1712a
  • 2012-04-08 (+55 days): Python 3.1.5 released
  • 2012-04-09 (+56 days): Python 2.7.3 released
  • 2012-04-10 (+57 days): Python 2.6.8 released
  • 2012-04-10 (+57 days): Python 3.2.3 released
  • 2012-09-29: Python 3.3.0 released
  • 2012-10-05 (+235 days): CVE-2012-0845 published