XML-RPC DoS

A denial of service flaw was found in the way Simple XML-RPC Server module of Python processed client connections, that were closed prior the complete request body has been received. A remote attacker could use this flaw to cause Python Simple XML-RPC based server process to consume excessive amount of CPU.

Dates:

• Disclosure date: 2012-02-13 (Python issue bpo-14001 reported)

Fixed In

• Python 2.6.8 (2012-04-10) fixed by commit 66f3cc6 (branch 2.6) (2012-02-18)
• Python 2.7.3 (2012-04-09) fixed by commit 66f3cc6 (branch 2.6) (2012-02-18)
• Python 3.1.5 (2012-04-08) fixed by commit ec1712a (branch 3.2) (2012-02-18)
• Python 3.2.3 (2012-04-10) fixed by commit ec1712a (branch 3.2) (2012-02-18)
• Python 3.3.0 (2012-09-29) fixed by commit ec1712a (branch 3.2) (2012-02-18)

Python issue

CVE-2012-0845 Python v2.7.2 / v3.2.2 (SimpleXMLRPCServer): DoS (excessive CPU usage) by processing malformed XMLRPC / HTTP POST request.

• Python issue: bpo-14001
• Creation date: 2012-02-13
• Reporter: Jan Lieskovsky

CVE-2012-0845

SimpleXMLRPCServer.py in SimpleXMLRPCServer in Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an XML-RPC POST request that contains a smaller amount of data than specified by the Content-Length header.

• CVE ID: CVE-2012-0845
• Published: 2012-10-05
• CVSS Score: 5.0

Timeline

Timeline using the disclosure date 2012-02-13 as reference:

• 2012-02-13: Python issue bpo-14001 reported by Jan Lieskovsky
• 2012-02-18 (+5 days): commit 66f3cc6 (branch 2.6)
• 2012-02-18 (+5 days): commit ec1712a (branch 3.2)
• 2012-04-08 (+55 days): Python 3.1.5 released
• 2012-04-09 (+56 days): Python 2.7.3 released
• 2012-04-10 (+57 days): Python 2.6.8 released
• 2012-04-10 (+57 days): Python 3.2.3 released
• 2012-09-29: Python 3.3.0 released
• 2012-10-05 (+235 days): CVE-2012-0845 published