Description

WordPress and Drupal are affected by a DoS (denial of service) vulnerability on the PHP XML parser used by their XMLRPC implementations. The issue lies in the XML entity expansion parser that can cause CPU and memory exhaustion and the site's database to reach the maximum number of open connections. The vulnerability is named XML quadratic blowup attack and was reported by Nir Goldshlager.

"An XML quadratic blowup attack is similar to a Billion Laughs attack. Essentially, it exploits the use of entity expansion. Instead of deferring to the use of nested entities, it replicates one large entity using a couple thousand characters repeatedly. A medium-sized XML document of approximately two hundred kilobytes may require anywhere within the range of one hundred MB to several GB of memory. When the attack is combined with a particular level of nested expansion, an attacker is then able to achieve a higher ratio of success."

Remediation

Update WordPress/Drupal to the latest version or restrict access to the xmlrpc file.

References

XML Billion laughs attack

XML Quadratic Blowup Attack Blows Up WordPress, Drupal

Related Vulnerabilities

WordPress Multiple Vulnerabilities (0.70 - 3.6.1)

WordPress 5.0.x Multiple Vulnerabilities (5.0 - 5.0.10)

PHP preg_replace used on user input

GraphQL Alias Overloading Allowed: Potential Denial of Service Vulnerability

XML External Entity Injection via external file

Severity

High

Classification

CWE-400 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H

Tags

Denial Of Service XXE