Bug 1138140 (CVE-2014-3574)
| Summary: | CVE-2014-3574 apache-poi: entity expansion (billion laughs) flaw | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | David Jorm <djorm> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | bdawidow, bmcclain, brms-jira, chazlett, cperry, dblechte, epp-bugs, grocha, idith, jbpapp-maint, jcoleman, jpallich, kconner, michal.skrivanek, mjc, mweiler, orion, Rhev-m-bugs, rzhang, soa-p-jira, srevivo, theute, tkirby, vhalbert, ykaul |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | apache-poi-ooxml 3.10.1, apache-poi-ooxml 3.11-beta2 | Doc Type: | Bug Fix |
| Doc Text: |
It was found that Apache POI would expand an unlimited number of entities in OOXML documents. A remote attacker able to supply OOXML documents that are parsed by Apache POI could use this flaw to trigger a denial of service attack via excessive CPU and memory consumption.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-06-08 02:34:48 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1138165, 1138168, 1138152, 1138153, 1138155, 1138156, 1138157, 1138158, 1138160, 1138161, 1138162, 1138163, 1138164, 1138166, 1138169, 1138170, 1139203, 1143772, 1148950 | ||
| Bug Blocks: | 1138173, 1150317, 1150325, 1150326 | ||
|
Description
David Jorm
2014-09-04 07:13:20 UTC
Upstream Advisory: http://www.apache.org/dist/poi/release/RELEASE-NOTES.txt Created apache-poi tracking bugs for this issue: Affects: fedora-all [bug 1138152] Upstream Issue: https://issues.apache.org/bugzilla/show_bug.cgi?id=54764 Upstream Fix: http://svn.apache.org/viewvc?view=revision&revision=1615720 http://svn.apache.org/viewvc?view=revision&revision=1615731 http://svn.apache.org/viewvc?view=revision&revision=1615781 Victims Record: https://github.com/victims/victims-cve-db/blob/master/database/java/2014/3574.yaml Statement CVE-2014-3574: Red Hat Product Security has determined that CVE-2014-3574 is not exploitable by default in JBoss Portal Platform as provided by Red Hat. This flaw would only be exploitable if the Apache POI library provided by JBoss Portal Platform were used by a custom application to process user-supplied XML documents. apache-poi-3.10.1-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. This issue has been addressed in the following products: Fuse Service Works 6.0.0 Via RHSA-2014:1370 https://rhn.redhat.com/errata/RHSA-2014-1370.html This issue has been addressed in the following products: Red Hat JBoss BRMS 6.0.3 Via RHSA-2014:1400 https://rhn.redhat.com/errata/RHSA-2014-1400.html This issue has been addressed in the following products: Red Hat JBoss BPM Suite 6.0.3 Via RHSA-2014:1399 https://rhn.redhat.com/errata/RHSA-2014-1399.html This issue has been addressed in the following products: Red Hat JBoss Data Virtualization 6.0.0 Via RHSA-2014:1398 https://rhn.redhat.com/errata/RHSA-2014-1398.html This issue has been addressed in the following products: JBoss Portal 6.2.0 Via RHSA-2015:1009 https://rhn.redhat.com/errata/RHSA-2015-1009.html |