Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 26 Jan 2018 19:31:27 +0000 (UTC)
From: Tim Allison <tallison@...che.org>
To: "announce@...che.org" <announce@...che.org>, 
	Security <security@...che.org>, 
	"oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>, 
	"user@....apache.org" <user@....apache.org>, 
	"dev@....apache.org" <dev@....apache.org>, 
	"davidedillard@...il.com" <davidedillard@...il.com>
Subject: CVE-2017-12626 – Denial of Service Vulnerabilities in Apache POI < 3.17

Title: CVE-2017-12626 – Denial of Service Vulnerabilities in Apache POI < 3.17

Severity: Important

Vendor: The Apache Software Foundation

Versions affected: versions prior to version 3.17

Description:   
    Apache POI versions prior to release 3.17 are vulnerable to Denial of Service Attacks:
    * Infinite Loops while parsing specially crafted WMF, EMF, MSG and macros
          (POI bugs 61338 [0] and 61294 [1])
    * Out of Memory Exceptions while parsing specially crafted DOC, PPT and XLS 
          (POI bugs 52372 [2] and 61295 [3])


Mitigation:  Users with applications which accept content from external or untrusted sources are advised to upgrade to Apache POI 3.17 or newer.

-Tim Allison

on behalf of the Apache POI PMC

 

[0] https://bz.apache.org/bugzilla/show_bug.cgi?id=61338
[1] https://bz.apache.org/bugzilla/show_bug.cgi?id=61294
[2] https://bz.apache.org/bugzilla/show_bug.cgi?id=52372
[3] https://bz.apache.org/bugzilla/show_bug.cgi?id=61295

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ