diff --git a/glance/async/flows/ovf_process.py b/glance/async/flows/ovf_process.py
index 4f463f67cc..79357de11b 100644
--- a/glance/async/flows/ovf_process.py
+++ b/glance/async/flows/ovf_process.py
@@ -19,9 +19,9 @@ import shutil
 import tarfile
 
 try:
-    import xml.etree.cElementTree as ET
+    from defusedxml import cElementTree as ET
 except ImportError:
-    import xml.etree.ElementTree as ET
+    from defusedxml import ElementTree as ET
 
 from oslo_config import cfg
 from oslo_log import log as logging
diff --git a/glance/tests/unit/async/flows/test_ovf_process.py b/glance/tests/unit/async/flows/test_ovf_process.py
index a68a9578ad..5646caefec 100644
--- a/glance/tests/unit/async/flows/test_ovf_process.py
+++ b/glance/tests/unit/async/flows/test_ovf_process.py
@@ -20,9 +20,9 @@ import tempfile
 
 import mock
 try:
-    from xml.etree.cElementTree import ParseError
+    from defusedxml.cElementTree import ParseError
 except ImportError:
-    from xml.etree.ElementTree import ParseError
+    from defusedxml.ElementTree import ParseError
 
 from glance.async.flows import ovf_process
 import glance.tests.utils as test_utils
diff --git a/requirements.txt b/requirements.txt
index a39f7b59c2..59e976dd19 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -3,6 +3,7 @@
 # process, which may cause wedges in the gate later.
 
 pbr!=2.1.0,>=2.0.0 # Apache-2.0
+defusedxml>=0.5.0 # PSF
 
 # < 0.8.0/0.8 does not work, see https://bugs.launchpad.net/bugs/1153983
 SQLAlchemy!=1.1.5,!=1.1.6,!=1.1.7,!=1.1.8,>=1.0.10 # MIT