CVE-2012-0845: XML-RPC DoS¶
A denial of service flaw was found in the way Simple XML-RPC Server module of Python processed client connections, that were closed prior the complete request body has been received. A remote attacker could use this flaw to cause Python Simple XML-RPC based server process to consume excessive amount of CPU.
- Disclosure date: 2012-02-13 (Python issue bpo-14001 reported)
- Python 2.6.8 (2012-04-10) fixed by commit 66f3cc6 (branch 2.6) (2012-02-18)
- Python 2.7.3 (2012-04-09) fixed by commit 66f3cc6 (branch 2.6) (2012-02-18)
- Python 3.1.5 (2012-04-08) fixed by commit ec1712a (branch 3.2) (2012-02-18)
- Python 3.2.3 (2012-04-10) fixed by commit ec1712a (branch 3.2) (2012-02-18)
- Python 3.3.0 (2012-09-29) fixed by commit ec1712a (branch 3.2) (2012-02-18)
CVE-2012-0845 Python v2.7.2 / v3.2.2 (SimpleXMLRPCServer): DoS (excessive CPU usage) by processing malformed XMLRPC / HTTP POST request.
- Python issue: bpo-14001
- Creation date: 2012-02-13
- Reporter: Jan Lieskovsky
SimpleXMLRPCServer.py in SimpleXMLRPCServer in Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an XML-RPC POST request that contains a smaller amount of data than specified by the Content-Length header.
Timeline using the disclosure date 2012-02-13 as reference:
- 2012-02-13: Python issue bpo-14001 reported by Jan Lieskovsky
- 2012-02-18 (+5 days): commit 66f3cc6 (branch 2.6)
- 2012-02-18 (+5 days): commit ec1712a (branch 3.2)
- 2012-04-08 (+55 days): Python 3.1.5 released
- 2012-04-09 (+56 days): Python 2.7.3 released
- 2012-04-10 (+57 days): Python 2.6.8 released
- 2012-04-10 (+57 days): Python 3.2.3 released
- 2012-09-29: Python 3.3.0 released
- 2012-10-05 (+235 days): CVE-2012-0845 published