Common Vulnerabilities and Exposures assigned an identifier CVE-2014-3575 to
the following vulnerability:
Reference: BUGTRAQ:20140821 CVE-2014-3575:OpenOffice Targeted Data Exposure Using Crafted OLE Objects
The OLE preview generation in Apache OpenOffice before 4.1.1 and
OpenOffice.org (OOo) might allow remote attackers to embed arbitrary
data into documents via crafted OLE objects.
Created libreoffice tracking bugs for this issue:
Affects: fedora-all [bug 1139592]
As per the upstream advisory:
The vulnerability allows an attacker to send a document which when opened will trigger the prompt to "Update Links" but if the user cancels that prompt may still generate and insert into the document an OLE2 preview image of a file on the victims filesystem, Data exposure is possible if the updated document is then distributed to other parties.
- Whenever possible, exercise caution when opening documents sent by unknown/untrusted parties.
- If "Update Links" dialog is seen, when opening a document, do not send this document to others, since it may be possible that local files got attached to the document. (The exploit only works when the document is sent over to the attacker after opening it on your system using LibreOffice/OpenOffice)
This issue affects the version of OpenOffice.org as shipped in Red Hat Enterprise Linux 5, and the version of LibreOffice as shipped in Red Hat Enterprise Linux 6.
Red Hat Product Security has rated this issue as having Moderate security impact and is not planned to be addressed in any future updates.
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2015:0377 https://rhn.redhat.com/errata/RHSA-2015-0377.html