DoS vulnerability in REXML

Ruby
1

Hello,

DoS vulenerabilitiy has been discovered in REXML.
You can also read this report at the following URL.

URL:http://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml/

= DoS vulnerability in REXML

There is a DoS vulnerability in the REXML library used by Rails to
parse incoming XML requests. A so-called “XML entity explosion” attack
technique can be used for remotely bringing down (disabling) any
application which parses user-provided XML. Most Rails applications
will be vulnerable to this attack.

== Impact

An attacker can cause a denial of service by causing REXML to parse a
document containing recursively nested entities such as:

<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE member [

]>

&a;

== Vulnerable versions

=== 1.8 series

  • 1.8.6-p287 and all prior versions
  • 1.8.7-p72 and all prior versions

=== 1.9 series

  • all versions

== Solution

Please download the following monkey patch to fix this problem.

URL:http://www.ruby-lang.org/security/20080823rexml/rexml-expansion-fix.rb

Then fix your application to load rexml-expansion-fix.rb before using
REXML.

require “rexml-expansion-fix”

doc = REXML::Document.new(str)

If you have a Rails application, copy rexml-expansion-fix.rb into a
directory on the load path (such as RAILS_ROOT/lib/), and put the
following line into config/environment.rb.

require “rexml-expansion-fix”

If your application is Rails 2.1 or later, you can simply copy
rexml-expansion-fix.rb to RAILS_ROOT/config/initializers and it will
be required automatically.

By default, XML entity expansion limit is 10000. You can change it by
changing REXML::Document.entity_expansion_limit. e.g.

REXML::Document.entity_expansion_limit = 1000

This fix will be made available as a gem and used by future versions of
rails, but users should take corrective action immediately.

== Credit

Credit to Luka Treiber and Mitja Kolsek of ACROS Security for
disclosing the problem to Ruby and Rails Security Teams.

Credit to Michael K. of Rails Core Team for creating the monkey
patch to fix the vulnerability.

2

Shugo M. wrote:

parse incoming XML requests.
To be clear: This is a Rails issue, not a general REXML issue?

The post suggests that Rails uses a different REXML library than what
ships with the standard Ruby distro, and mentions no other Ruby
framework (Web or otherwise).


James B.

www.happycamperstudios.com - Wicked Cool Coding
www.jamesbritt.com - Playing with Better Toys
www.ruby-doc.org - Ruby Help & Documentation
www.rubystuff.com - The Ruby Store for Ruby Stuff

3

On Sat, Aug 23, 2008 at 9:28 AM, James B. [email protected]
wrote:

= DoS vulnerability in REXML

There is a DoS vulnerability in the REXML library used by Rails to
parse incoming XML requests.

To be clear: This is a Rails issue, not a general REXML issue?

The post suggests that Rails uses a different REXML library than what ships
with the standard Ruby distro, and mentions no other Ruby framework (Web or
otherwise).

But the versions it lists affected are Ruby versions, not Rails
versions. Since REXML is part of the standard library, and particular
Ruby (not Rails) versions are affected, I think the part of the
description that focuses on the risk to Rails is most likely
misguided, and that its a general REXML, not Rails, problem.

Testing the example file in irb on Ruby 1.8.6 on WinXP, without
loading any rails-related libraries, it seems to grab all the
processor resources it can and just hang (this occurs when you access
the only text node of the root element, not on the initial parse,
because until you do that, REXML doesn’t try to expand the entities),
so I think tha clinches that its Ruby, not Rails.

4

Christopher D. wrote:

= DoS vulnerability in REXML
But the versions it lists affected are Ruby versions, not Rails
versions.

The original post said referred to “the REXML library used by Rails”,
not the REXML library included with Ruby’s standard distro.

And were this an issue with a standard Ruby lib, and not a customized
Rails version, I would have expected an actual patch for the REXML
source so that all code using REXML is patched.

so I think tha clinches that its Ruby, not Rails.
Then the original post is misleading in emphasizing Rails.

Lots of people use REXML on the Web outside of Rails, so the effect on
Rails is incidental to the real problem and should have been omitted for
clarity.


James B.

www.happycamperstudios.com - Wicked Cool Coding
www.jamesbritt.com - Playing with Better Toys
www.ruby-doc.org - Ruby Help & Documentation
www.rubystuff.com - The Ruby Store for Ruby Stuff

5

Want to name someone evil? I’d vote this is an issue of XML itself.
REXML is just doing what it is asked to do. The problem is, it’s (by
design) unclear how much resources are required to parse an XML
document, until we actually parse that document.

So, in fact this problem can happen without REXML, or even without
Ruby. If you’re using other XML parser, be sure that engine can handle
this issue correctly.

6

Urabe S. wrote:

James B. wrote:

Then the original post is misleading in emphasizing Rails.

Lots of people use REXML on the Web outside of Rails, so the effect on
Rails is incidental to the real problem and should have been omitted
for clarity.

Incidental yes, but that doesn’t mean Rails users must be ignored.
Perhaps web-admins should not omit Rails workarounds, but also add a
note that non-Rails apps can suffer this issue.

Not ignored, but the report should focus on the risk to any application
using Ruby’s standard REXML library, including, but not limited to, Web
applications, such as as Merb, Ramaze, Rails, and others that may be
accepting arbitrary XML from outside source.


James B.

www.happycamperstudios.com - Wicked Cool Coding
www.jamesbritt.com - Playing with Better Toys
www.ruby-doc.org - Ruby Help & Documentation
www.rubystuff.com - The Ruby Store for Ruby Stuff

7

On Sat, Aug 23, 2008 at 7:37 PM, Urabe S. [email protected]
wrote:

James B. wrote:

Then the original post is misleading in emphasizing Rails.

Lots of people use REXML on the Web outside of Rails, so the effect on
Rails is incidental to the real problem and should have been omitted
for clarity.

Incidental yes, but that doesn’t mean Rails users must be ignored.
Perhaps web-admins should not omit Rails workarounds, but also add a
note that non-Rails apps can suffer this issue.

But really, the case is “Any Ruby code parsing user passed XML”, which
is in no way limited to Rails.
It’s reasonable to say “Hey Rails kids, this means you!”, but I think
it’s a little misleading to pass it off as a Rails bug with a
monkeypatch rather than a patch against Ruby itself.

-greg

8

On Sat, Aug 23, 2008 at 7:56 PM, Gregory B.
[email protected] wrote:
te that non-Rails apps can suffer this issue.

But really, the case is “Any Ruby code parsing user passed XML”,

*with REXML

-greg

9

James B. wrote:

Then the original post is misleading in emphasizing Rails.

Lots of people use REXML on the Web outside of Rails, so the effect on
Rails is incidental to the real problem and should have been omitted
for clarity.

Incidental yes, but that doesn’t mean Rails users must be ignored.
Perhaps web-admins should not omit Rails workarounds, but also add a
note that non-Rails apps can suffer this issue.

10

On Sat, Aug 23, 2008 at 4:52 PM, Gregory B.
[email protected] wrote:

note that non-Rails apps can suffer this issue.

But really, the case is “Any Ruby code parsing user passed XML”, which
is in no way limited to Rails.
It’s reasonable to say “Hey Rails kids, this means you!”, but I think
it’s a little misleading to pass it off as a Rails bug with a
monkeypatch rather than a patch against Ruby itself.

I don’t think the monkeypatch has anything to do with Rails vs. Ruby,
since there are general instructions for the monkeypatch followed by
instructions on how to include it in a Rails app.

11

On Sat, Aug 23, 2008 at 8:03 PM, Christopher D. [email protected]
wrote:

I don’t think the monkeypatch has anything to do with Rails vs. Ruby,
since there are general instructions for the monkeypatch followed by
instructions on how to include it in a Rails app.

It has everything to do with Ruby vs. Rails.

If we are talking about a vulnerability in standard Ruby, we should be
able to patch standard Ruby and be done with it, not be required to
use some hackish monkeypatch in every application we write. Ruby core
does of course, maintain Ruby’s standard library (or so we hope.)

-greg

12

On Sat, Aug 23, 2008 at 4:37 PM, Urabe S. [email protected]
wrote:

The notice on the ruby-lang.org includes the general workaround and
the Rails-specific instructions (the monkeypatch is general, there is
a special mechanism for guaranteeing it is included given for Rails.)
The problem with the notice is that it the beginning part that
announces the problem makes it sound like it is in a Rails component,
when it is in the Ruby Standard Library. Instead of this:

—[begin]
There is a DoS vulnerability in the REXML library used by Rails to
parse incoming XML requests. A so-called “XML entity explosion” attack
technique can be used for remotely bringing down (disabling) any
application which parses user-provided XML. Most Rails applications
will be vulnerable to this attack.
—[end]

It should say something like this:

—[begin]
There is a DoS vulnerability in the REXML library included in the Ruby
Standard Library. A so-called “XML entity explosion” attack technique
can be used for remotely bringing down (disabling) any application
which parses user-provided XML using REXML.
—[end]

Any specific notes about systems that rely on REXML (including Rails)
should have followed that accurate description of the nature and
applicability of the problem. (I also question whether its true that
“Most Rails applications will be vulnerable to this attack”, is it
really true that the majority of Rails apps consume XML from untrusted
sources?

13

Hi,

“Christopher D.” [email protected] wrote:

—[begin]
There is a DoS vulnerability in theREXMLlibrary included in the Ruby
Standard Library. A so-called “XML entity explosion” attack technique
can be used for remotely bringing down (disabling) any application
which parses user-provided XML usingREXML.
—[end]

I admit that my announcement is misleading. It was based on the
original
report to [email protected].

What do you think of fixing it like this?

There is a DoS vulnerability in the REXML library included in the Ruby
Standard Library. A so-called “XML entity explosion” attack technique
can be used for remotely bringing down (disabling) any application
which parses user-provided XML using REXML.

Most Rails applications will be vulnerable because Rails parses
user-provided XML using REXML by default.

Any specific notes about systems that rely onREXML(including Rails)
should have followed that accurate description of the nature and
applicability of the problem. (I also question whether its true that
“Most Rails applications will be vulnerable to this attack”, is it
really true that the majority of Rails apps consume XML from untrusted
sources?

Yes, it is.

Shugo M.

14

Hi,

“Gregory B.” [email protected] wrote:

does of course, maintain Ruby’s standard library (or so we hope.)
There are some considerations to apply this fix to the Ruby’s standard
library. This vulnerability (not Ruby specific but in general)
had been known for a long time, so we decided to provide a monkey
patch
for a workaround.

We are discussing some considerations on ruby-dev ML, and I’ll send
a mail with details to ruby-core ML later.

Shugo M.

15

Hello,

Shugo M. [email protected] wrote:

I have fixed the announcement.

DoS vulnerability in REXML

Thank you.

Shugo

16

On Thu, Aug 28, 2008 at 5:19 AM, Shugo M. [email protected]
wrote:

Hi,

“Gregory B.” [email protected] wrote:

We are discussing some considerations on ruby-dev ML, and I’ll send
a mail with details to ruby-core ML later.

Okay, I’ll look out for that. Thanks!

-greg