[tahoe-lafs-trac-stream] [tahoe-lafs] #2192: cloud backend: denial of service attacks against XML parser
tahoe-lafs
trac at tahoe-lafs.org
Fri Mar 7 12:16:51 UTC 2014
#2192: cloud backend: denial of service attacks against XML parser
---------------------------+-----------------------------------------------
Reporter: daira | Owner: daira
Type: defect | Status: new
Priority: minor | Milestone: undecided
Component: code- | Version: cloud-branch
storage | Keywords: DoS cloud-backend s3 security xml
Resolution: |
Launchpad Bug: |
---------------------------+-----------------------------------------------
Description changed by daira:
Old description:
> A malicious cloud service could easily cause a DoS against the storage
> server using some of the attacks described in
> [https://pypi.python.org/pypi/defusedxml/]. This is not a particularly
> serious attack as long as one storage server is associated with each
> cloud service and that server is running in its own virtual machine,
> since then the cloud service can only affect its own storage server.
> OTOH, switching to a library that prevents these attacks would probably
> be straightforward.
New description:
A malicious cloud service could easily cause a DoS against the storage
server using some of the attacks described in
[https://pypi.python.org/pypi/defusedxml/]. This is not a particularly
serious attack as long as one storage server is associated with each cloud
service and that server is running in its own virtual machine, since then
the cloud service can only affect its own storage server's virtual
machine. OTOH, switching to a library that prevents these attacks would
probably be straightforward.
--
--
Ticket URL: <https://tahoe-lafs.org/trac/tahoe-lafs/ticket/2192#comment:3>
tahoe-lafs <https://tahoe-lafs.org>
secure decentralized storage
More information about the tahoe-lafs-trac-stream
mailing list