Apache POI versions prior to release 3.17 are vulnerable to Denial of Service (DoS) attacks caused by multiple bugs in parsing specially crafted files. Parsing of WMF, EMF, MSG files and macros can lead to infinite loops, while parsing DOC, PPT and XLS files can cause out of memory exceptions. External References: https://nvd.nist.gov/vuln/detail/CVE-2017-12626 https://lists.apache.org/thread.html/453d9af5dbabaccd9afb58d27279a9dbfe8e35f4e5ea1645ddd6960b@%3Cdev.poi.apache.org%3E
Created apache-poi tracking bugs for this issue: Affects: fedora-all [bug 1539990]
According to the upstream announcement, this CVE covers 4 issues tracked in the following upstream bugs. Upstream commits relevant to each upstream bug report are also listed: Avoid infinite loop in corrupt wmf https://bz.apache.org/bugzilla/show_bug.cgi?id=61338 https://svn.apache.org/viewvc?view=revision&revision=1802997 IOUtils.skipFully can run into infinite loop https://bz.apache.org/bugzilla/show_bug.cgi?id=61294 https://svn.apache.org/viewvc?view=revision&revision=1801952 https://svn.apache.org/viewvc?view=revision&revision=1806162 OutOfMemoryError parsing a word file https://bz.apache.org/bugzilla/show_bug.cgi?id=52372 https://svn.apache.org/viewvc?view=revision&revision=1793602 Vector.read -- Java heap space on corrupt file https://bz.apache.org/bugzilla/show_bug.cgi?id=61295 https://svn.apache.org/viewvc?view=revision&revision=1802879
This issue has been addressed in the following products: Red Hat JBoss Fuse Via RHSA-2018:1322 https://access.redhat.com/errata/RHSA-2018:1322