Python Expat and ElementTree Parsers Insufficient Entropy for Hash-Flooding Protection Vulnerability

A vulnerability exists in the Python XML parsers `xml.parsers.expat` and `xml.etree.ElementTree` due to insufficient entropy provided for hash-flooding protection. This flaw allows a specially crafted XML document to exploit hash flooding vulnerabilities. The issue arises because `pyexpat` only supplies 4 to 8 bytes of entropy, whereas Expat version 2.8.0 introduced a new function that allows for 16 bytes of entropy, sufficient to protect against such hash-flooding attacks. The vulnerability can be fully mitigated by updating the libexpat library to version 2.8.0 or later and applying a specific patch that has been developed.

Impact

Exploitation of this vulnerability can lead to hash flooding, a type of denial-of-service attack where an attacker manipulates the hash function's input to create collisions, causing increased computational overhead and potentially degrading performance.

Remediation

To address this vulnerability, update the libexpat library to version 2.8.0 or later. Additionally, apply the patch available in the Python GitHub repository, which modifies the `pyexpat` module to use the `XML_SetHashSalt16Bytes` function when compiled against a version of Expat that supports it.