diff --git a/cinder/tests/unit/volume/drivers/test_dothill.py b/cinder/tests/unit/volume/drivers/test_dothill.py
index d85d7200b38..ec82611d4dc 100644
--- a/cinder/tests/unit/volume/drivers/test_dothill.py
+++ b/cinder/tests/unit/volume/drivers/test_dothill.py
@@ -16,8 +16,7 @@
 #
 """Unit tests for OpenStack Cinder DotHill driver."""
 
-
-from lxml import etree
+from defusedxml import lxml as etree
 import mock
 import requests
 
@@ -205,7 +204,7 @@ class TestDotHillClient(test.TestCase):
                                      RequestException("error")]
         mock_requests_get.return_value = m
         ret = self.client._api_request('/path')
-        self.assertTrue(type(ret) == etree._Element)
+        self.assertTrue(type(ret) == etree.RestrictedElement)
         self.assertRaises(exception.DotHillConnectionError,
                           self.client._api_request,
                           '/path')
diff --git a/cinder/tests/unit/volume/drivers/test_qnap.py b/cinder/tests/unit/volume/drivers/test_qnap.py
index 950e82cbe30..c3ee15f2268 100644
--- a/cinder/tests/unit/volume/drivers/test_qnap.py
+++ b/cinder/tests/unit/volume/drivers/test_qnap.py
@@ -14,14 +14,11 @@
 #    under the License.
 
 import base64
-try:
-    import xml.etree.cElementTree as ET
-except ImportError:
-    import xml.etree.ElementTree as ET
 
 from ddt import data
 from ddt import ddt
 from ddt import unpack
+from defusedxml import cElementTree as ET
 import eventlet
 import mock
 from oslo_config import cfg
diff --git a/cinder/volume/drivers/dothill/dothill_client.py b/cinder/volume/drivers/dothill/dothill_client.py
index 234981c3634..d819b7900d9 100644
--- a/cinder/volume/drivers/dothill/dothill_client.py
+++ b/cinder/volume/drivers/dothill/dothill_client.py
@@ -19,7 +19,7 @@ import hashlib
 import math
 import time
 
-from lxml import etree
+from defusedxml import lxml as etree
 from oslo_log import log as logging
 from oslo_utils import strutils
 from oslo_utils import units
diff --git a/cinder/volume/drivers/fujitsu/eternus_dx_common.py b/cinder/volume/drivers/fujitsu/eternus_dx_common.py
index 04ba94f9eee..2ab3af78133 100644
--- a/cinder/volume/drivers/fujitsu/eternus_dx_common.py
+++ b/cinder/volume/drivers/fujitsu/eternus_dx_common.py
@@ -22,18 +22,19 @@ Cinder Volume driver for Fujitsu ETERNUS DX S3 series.
 import ast
 import base64
 import hashlib
-import six
 import time
-from xml.etree.ElementTree import parse
 
-from cinder import exception
-from cinder.i18n import _
-from cinder.volume import configuration as conf
+from defusedxml import ElementTree as ET
 from oslo_concurrency import lockutils
 from oslo_config import cfg
 from oslo_log import log as logging
 from oslo_service import loopingcall
 from oslo_utils import units
+import six
+
+from cinder import exception
+from cinder.i18n import _
+from cinder.volume import configuration as conf
 
 LOG = logging.getLogger(__name__)
 CONF = cfg.CONF
@@ -1099,7 +1100,7 @@ class FJDXCommon(object):
         LOG.debug("_get_drvcfg, input[%(filename)s][%(tagname)s].",
                   {'filename': filename, 'tagname': tagname})
 
-        tree = parse(filename)
+        tree = ET.parse(filename)
         elem = tree.getroot()
 
         ret = None
diff --git a/cinder/volume/drivers/nec/volume_common.py b/cinder/volume/drivers/nec/volume_common.py
index 15567e26628..0723ae9e77b 100644
--- a/cinder/volume/drivers/nec/volume_common.py
+++ b/cinder/volume/drivers/nec/volume_common.py
@@ -15,11 +15,11 @@
 #    under the License.
 
 import errno
-from lxml import etree
 import os
 import re
 import traceback
 
+from defusedxml import lxml as etree
 from oslo_config import cfg
 from oslo_log import log as logging
 from oslo_utils import excutils
diff --git a/cinder/volume/drivers/qnap.py b/cinder/volume/drivers/qnap.py
index 83048464920..5ad6f4d6936 100644
--- a/cinder/volume/drivers/qnap.py
+++ b/cinder/volume/drivers/qnap.py
@@ -23,11 +23,8 @@ import re
 import ssl
 import threading
 import time
-try:
-    import xml.etree.cElementTree as ET
-except ImportError:
-    import xml.etree.ElementTree as ET
 
+from defusedxml import cElementTree as ET
 from oslo_concurrency import lockutils
 from oslo_config import cfg
 from oslo_log import log as logging
diff --git a/cinder/volume/drivers/zadara.py b/cinder/volume/drivers/zadara.py
index f1f3348c2f1..1199f7f9964 100644
--- a/cinder/volume/drivers/zadara.py
+++ b/cinder/volume/drivers/zadara.py
@@ -18,7 +18,7 @@ Volume driver for Zadara Virtual Private Storage Array (VPSA).
 This driver requires VPSA with API version 15.07 or higher.
 """
 
-from lxml import etree
+from defusedxml import lxml as etree
 from oslo_config import cfg
 from oslo_log import log as logging
 from oslo_utils import strutils
diff --git a/requirements.txt b/requirements.txt
index 1dcd40c5d0e..208fcc0768e 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -5,6 +5,7 @@
 pbr!=2.1.0,>=2.0.0 # Apache-2.0
 Babel!=2.4.0,>=2.3.4 # BSD
 decorator>=3.4.0 # BSD
+defusedxml>=0.5.0  # PSF
 enum34>=1.0.4;python_version=='2.7' or python_version=='2.6' or python_version=='3.3' # BSD
 eventlet!=0.18.3,!=0.20.1,<0.21.0,>=0.18.2 # MIT
 greenlet>=0.4.10 # MIT