Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 20 Mar 2017 21:15:47 +0100
From: Dominik Stadler <centic@...che.org>
To: private@....apache.org, security <security@...che.org>, 
	"zhuxiaolong (C)" <zhuxiaolong1@...wei.com>, "Chenhuijun (Sniper)" <chenhuijun@...wei.com>, announce@...che.org, 
	oss-security@...ts.openwall.com, bugtraq@...urityfocus.com
Subject: CVE-2017-5644 - Possible DOS (Denial of Service) in Apache POI
 versions prior to 3.15

Hi,

Vendor: The Apache Software Foundation

Versions affected: all versions prior to version 3.15
Apache POI in versions prior to release 3.15 allows remote attackers to
cause a denial of service (CPU consumption)
via a specially crafted OOXML file, aka an XML Entity Expansion (XEE)
attack.

Users with applications which accept content from external or untrusted
sources are advised to upgrade to
Apache POI 3.15 or newer.

Thanks to Xiaolong Zhu and Huijun Chen from Huawei Technologies Co., Ltd.
for reporting the vulnerability.


Dominik Stadler
on behalf of the Apache POI PMC

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ