Bug 2182044 (CVE-2022-38745) - CVE-2022-38745 libreoffice: Empty entry in Java class path
Summary: CVE-2022-38745 libreoffice: Empty entry in Java class path
Keywords:
Status: NEW
Alias: CVE-2022-38745
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2182045 2182390 2182391 2182392 2182393
Blocks: 2182046
TreeView+ depends on / blocked
 
Reported: 2023-03-27 12:12 UTC by Pedro Sampaio
Modified: 2023-11-14 15:16 UTC (History)
0 users

Fixed In Version: LibreOffice 7.2.6, LibreOffice 7.3.1
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in LibreOffice. When an empty Java class path entry is configured, LibreOffice will search for Java classes in the current working directory, allowing malicious Java classes to load when opening a document using the file manager, resulting in arbitrary code execution.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:6508 0 None None None 2023-11-07 08:18:26 UTC
Red Hat Product Errata RHSA-2023:6933 0 None None None 2023-11-14 15:16:14 UTC

Description Pedro Sampaio 2023-03-27 12:12:07 UTC
Fixed in: LibreOffice 7.2.6/7.3.1

Description:

Most versions of LibreOffice support and contain components written in Java. LibreOffice extends the existing Java class path with its own internal classes.

In the affected versions of LibreOffice if the existing class path was empty, then when Java class files are loaded, the current working directory is searched for valid classes before using the embedded versions. If an attacker sends a zip file containing a class file alongside a document then, depending on the file manager or other tool used to open the zip file, when on navigating to the document and launching LibreOffice to open it, the current working directory of LibreOffice may be the directory in which the class file exists, in which case there is a risk that the arbitrary code of the class file could be executed.

In versions >= 7.2.6 (and >= 7.3.1) such unwanted empty paths are not appended to the classpath

References:

https://www.libreoffice.org/about-us/security/advisories/cve-2022-38745/

Comment 1 Pedro Sampaio 2023-03-27 12:12:20 UTC
Created libreoffice tracking bugs for this issue:

Affects: fedora-all [bug 2182045]

Comment 7 errata-xmlrpc 2023-11-07 08:18:25 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6508 https://access.redhat.com/errata/RHSA-2023:6508

Comment 8 errata-xmlrpc 2023-11-14 15:16:13 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:6933 https://access.redhat.com/errata/RHSA-2023:6933


Note You need to log in before you can comment on or make changes to this bug.