Date: Mon, 20 Mar 2017 21:15:47 +0100 From: Dominik Stadler <centic@...che.org> To: private@....apache.org, security <security@...che.org>, "zhuxiaolong (C)" <zhuxiaolong1@...wei.com>, "Chenhuijun (Sniper)" <chenhuijun@...wei.com>, announce@...che.org, oss-security@...ts.openwall.com, bugtraq@...urityfocus.com Subject: CVE-2017-5644 - Possible DOS (Denial of Service) in Apache POI versions prior to 3.15 Hi, Vendor: The Apache Software Foundation Versions affected: all versions prior to version 3.15 Apache POI in versions prior to release 3.15 allows remote attackers to cause a denial of service (CPU consumption) via a specially crafted OOXML file, aka an XML Entity Expansion (XEE) attack. Users with applications which accept content from external or untrusted sources are advised to upgrade to Apache POI 3.15 or newer. Thanks to Xiaolong Zhu and Huijun Chen from Huawei Technologies Co., Ltd. for reporting the vulnerability. Dominik Stadler on behalf of the Apache POI PMC
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.