Apache POI 3.10.1-20140818 security issues with OOXML

2014.09.05
Credit: Multiple
Risk: High
Local: No
Remote: Yes
CWE: N/A


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Partial

The Apache POI project is pleased to announce the release of POI 3.10.1-20140818. This release is a bugfix release to fix two security issues with OOXML. See the downloads page for binary and source distributions: http://poi.apache.org/download.html Release Notes Changes ------------ The most notable changes in this release are: This release is a bugfix release to fix two security issues with OOXML: - Tidy up the OPC SAX setup code with a new common Helper, preventing external entity expansion (CVE-2014-3529). - On supported XML parser versions (Xerces or JVM built-in, XMLBeans 2.6), enforce sensible limits on entity expansion in OOXML files, and ensure that subsequent normal files still pass fine (CVE-2014-3574). Please note: You should use xmlbeans-2.6.jar (as shipped with this release) instead of the xmlbeans-2.3.jar version from the 3.10-FINAL release to work around CVE-2014-3574. If you have an alternate XML parser like Apache Xerces in classpath, be sure to use a recent version! Older versions are likely to break on setting required security features. Thanks to Stefan Kopf, Mike Boufford, Mohamed Ramadan, and Christian Schneider for reporting these issues! A full list of changes is available in the change log: http://poi.apache.org/changes.html. People interested should also follow the dev mailing list to track further progress. Release Contents ---------------- This release comes in two forms: - pre-built binaries containing compiled versions of all Apache POI components and documentation (poi-bin-3.10.1-20140818.zip or poi-bin-3.10.1-20140818.tar.gz) - source archive you can build POI from (poi-src-3.10.1-20140818.zip or poi-src-3.10.1-20140818.tar.gz) Unpack the archive and use the following command to build all POI components with Apache Ant 1.6+ and JDK 1.5 or higher: ant jar Pre-built versions of all POI components are also available in the central Maven repository under Group ID "org.apache.poi" and Version "3.10.1-20140818" All release artifacts are accompanied by MD5 checksums and a PGP signatures that you can use to verify the authenticity of your download. The public key used for the PGP signature can be found at http://svn.apache.org/repos/asf/poi/tags/REL_3_10_1/KEYS About Apache POI ----------------------- Apache POI is well-known in the Java field as a library for reading and writing Microsoft Office file formats, such as Excel, PowerPoint, Visio and Word. Since POI 3.5, the new OOXML (Office Open XML) formats introduced in Office 2007 have been supported. See http://poi.apache.org/ for more details

References:

https://lucene.apache.org/solr/solrnews.html#18-august-2014-recommendation-to-update-apache-poi-in-apache-solr-480-481-and-490-installations
http://www.apache.org/dist/poi/release/RELEASE-NOTES.txt
http://secunia.com/advisories/60419
http://poi.apache.org/changes.html


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top