incubator-ooo-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Weir <>
Subject Re: CVE-2012-0037: data leakage vulnerability
Date Thu, 22 Mar 2012 15:58:02 GMT
On Thu, Mar 22, 2012 at 10:03 AM, Stacie Jones <> wrote:
> So has data been leaked? Is that why we need the patch?

Here's how it works:

Security researchers, some in large companies, some in small
specialized companies or consultancies, test software, open source and
proprietary, for possibly vulnerabilities.  These are the good guys.
We sometimes call them the "white hats".

When they find a possible way in which an application could be
exploited, the contact the vendor (or open source project) to report
the vulnerability.  We then work with the researcher to understand the
issue and how to mitigate it, how to patch it, and ultimately how to
notify the public.  The industry calls this "Responsible Disclosure".

At the same time the "white hats" are working on finding
vulnerabilities, there are also unfortunately "black hats" doing the
same thing.  They are looking for vulnerabilities to exploit for
malicious purposes.  They are the ones who write viruses and worms to
exploit product vulnerabilities.  They, obviously, do not work within
the system of Responsible Disclosure.

So this particular vulnerability, for which we announced a patch
today, came through the Responsible Disclosure route.  We are aware of
no exploitation of it "in the wild".  However, best practice would be
to still patch your system.



> On Thu, Mar 22, 2012 at 9:16 AM, Rob Weir <> wrote:
>> Please note, this is the official security bulletin, targeted for
>> security professionals.  If you are an 3.3 user, and
>> are able to apply the mentioned patch, then you are encouraged to do
>> so.  If someone else supports or manages your desktop, then please
>> forward this information to them.
>> Additional support is available on our Community Forums:
>> And via our ooo-users mailing list:
>> Note:  This security patch for is made available to
>> legacy users as a service by the Apache OpenOffice
>> Project Management Committee.  The patch is made available under the
>> Apache License, and due to its importance, we are releasing it outside
>> of the standard release cycle.
>> -Rob
>> Hash: SHA512
>> CVE-2012-0037: data leakage vulnerability
>> Severity: Important
>> Vendor: The Apache Software Foundation
>> Versions Affected: 3.3 and 3.4 Beta, on all platforms.
>> Earlier versions may be also affected.
>> Description: An XML External Entity (XXE) attack is possible in the
>> above versions of  This vulnerability exploits the way
>> in
>> which external entities are processed in certain XML components of ODF
>> documents.  By crafting an external entity to refer to other local
>> file system
>> resources, an attacker would be able to inject contents of other
>> locally- accessible files into the ODF document, without the user's
>> knowledge or permission.  Data leakage then becomes possible when that
>> document is later distributed to other parties.
>> Mitigation: 3.3.0 and 3.4 beta users should install the
>> patch at:
>> This vulnerability is also fixed in Apache OpenOffice 3.4 dev
>> snapshots since March 1st, 2012.
>> Source and Building: Information on obtaining the source code for this
>> patch, and for porting it or adapting it to derivatives
>> can be found here:
>> Credit: The Apache OpenOffice project acknowledges and thanks the
>> discoverer of this issue, Timothy D. Morgan of Virtual Security
>> Research, LLC.
>> References:
>> Version: GnuPG v1.4.11 (GNU/Linux)
>> Gm3uL9D9aRrs/pp+sofRkF9L3nyWEyyVfvZv6+IBrqOU/2Tu1CD8cY6Kns1ZYxVO
>> ZRDiR5hhr3pA6KfWlb9W9it/8JsTF7WZfTX0uRMPXCYlJuYQ38Nl7kloPYswXG2w
>> By2J19VanlHuwLQJoNV08652HBDy2Xpa6Wk7N5NoyETILOS47QTgizjAYZ2AY0GE
>> ykBFu9A9yblLM5zftuMT/4FxkHQ8Qx5I3NmV3V8cUgJlmbc2oscsC23iIPcoulJF
>> GSn8tub/e47xzgpJy69NoHgzmb6Ou+J3BDXr0kmH008P6FaTpTgPTltZ8Fcua+T2
>> JSWjzW5IBOW/20J9RN+5lkDJQTY5FiqqpjV7H6bZV3+MVx3Fk/ih1uJPr2cVZqaT
>> pDU5xtn79py7MNsmpjnzD7mPbdiA2OfStzFpqUM60HOki7RgGpozvUPEvA0uIss9
>> X/jP1KixPDdbGS2fMrM7KG9mnT8BOzwow0Vti7alP2x2BkTXZm2K/qflXJDFCxTn
>> g23OJIxlnhC8cK4etyezWNMSya4LLMgz6ZO+TEdvCSaaF6b3t6seskgnFAMcdPHY
>> bkfzzYnACtrvQAmRQ1Nn4i1yFGAY+cTE7sUO2NcFhHn6jXaiZFEatdh4XJEEcTXl
>> OZE/3v6XnehMD/32kipa
>> =/qce
>> -----END PGP SIGNATURE-----
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail:
>> For additional commands, e-mail:
> --
> Peace,
> Stacie M. Jones
> ~"Lokaa samastaa sukhino bhavantu,"~
> "May all worlds be happy."

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message