Bug 1138135 (CVE-2014-3529)
| Summary: | CVE-2014-3529 apache-poi: XML eXternal Entity (XXE) flaw | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | David Jorm <djorm> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | bdawidow, bmcclain, brms-jira, chazlett, dblechte, epp-bugs, grocha, idith, jcoleman, jpallich, kconner, michal.skrivanek, mjc, mweiler, orion, Rhev-m-bugs, rzhang, soa-p-jira, srevivo, theute, tkirby, ykaul |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | apache-poi-ooxml 3.10.1, apache-poi-ooxml 3.11-beta2 | Doc Type: | Bug Fix |
| Doc Text: |
It was found that Apache POI would resolve entities in OOXML documents. A remote attacker able to supply OOXML documents that are parsed by Apache POI could use this flaw to read files accessible to the user running the application server, and potentially perform more advanced XML External Entity (XXE) attacks.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-06-08 02:34:46 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1138152, 1138153, 1138155, 1138156, 1138157, 1138158, 1138160, 1138161, 1138162, 1138163, 1138164, 1138165, 1138166, 1138167, 1138168, 1138169, 1138170, 1139203, 1143772, 1148950 | ||
| Bug Blocks: | 1138173, 1150317, 1150325, 1150326 | ||
|
Description
David Jorm
2014-09-04 07:03:09 UTC
Upstream Advisory: http://www.apache.org/dist/poi/release/RELEASE-NOTES.txt Created apache-poi tracking bugs for this issue: Affects: fedora-all [bug 1138152] Upstream Issue: https://issues.apache.org/bugzilla/show_bug.cgi?id=56164 Upstream Fix: http://svn.apache.org/viewvc?view=revision&revision=1569991 http://svn.apache.org/viewvc?view=revision&revision=1589759 http://svn.apache.org/viewvc?view=revision&revision=1615720 http://svn.apache.org/viewvc?view=revision&revision=1617849 Victims Record: https://github.com/victims/victims-cve-db/blob/master/database/java/2014/3529.yaml Statement CVE-2014-3529: Red Hat Product Security has determined that CVE-2014-3529 is not exploitable by default in JBoss Portal Platform as provided by Red Hat. This flaw would only be exploitable if the Apache POI library provided by JBoss Portal Platform were used by a custom application to process user-supplied XML documents. apache-poi-3.10.1-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. This issue has been addressed in the following products: Fuse Service Works 6.0.0 Via RHSA-2014:1370 https://rhn.redhat.com/errata/RHSA-2014-1370.html This issue has been addressed in the following products: Red Hat JBoss BRMS 6.0.3 Via RHSA-2014:1400 https://rhn.redhat.com/errata/RHSA-2014-1400.html This issue has been addressed in the following products: Red Hat JBoss BPM Suite 6.0.3 Via RHSA-2014:1399 https://rhn.redhat.com/errata/RHSA-2014-1399.html This issue has been addressed in the following products: Red Hat JBoss Data Virtualization 6.0.0 Via RHSA-2014:1398 https://rhn.redhat.com/errata/RHSA-2014-1398.html apache-poi-3.10.1-2.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report. This issue has been addressed in the following products: JBoss Portal 6.2.0 Via RHSA-2015:1009 https://rhn.redhat.com/errata/RHSA-2015-1009.html |