manifoldcf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Karl Wright (JIRA)" <j...@apache.org>
Subject [jira] [Created] (CONNECTORS-1012) Upgrade Apache POI to correct multiple security issues
Date Mon, 18 Aug 2014 23:47:18 GMT
Karl Wright created CONNECTORS-1012:
---------------------------------------

             Summary: Upgrade Apache POI to correct multiple security issues
                 Key: CONNECTORS-1012
                 URL: https://issues.apache.org/jira/browse/CONNECTORS-1012
             Project: ManifoldCF
          Issue Type: Task
          Components: Lucene/SOLR connector
    Affects Versions: ManifoldCF 1.7
            Reporter: Karl Wright
            Assignee: Karl Wright
            Priority: Blocker
             Fix For: ManifoldCF 1.7


= CVE-2014-3529: XML External Entity (XXE) problem in Apache POI's OpenXML parser =
Type: Information disclosure
Description: Apache POI uses Java's XML components to parse OpenXML files produced by Microsoft
Office products (DOCX, XLSX, PPTX,...). Applications that accept such files from end-users
are vulnerable to XML External Entity (XXE) attacks, which allows remote attackers to bypass
security restrictions and read arbitrary files via a crafted OpenXML document that provides
an XML external entity declaration in conjunction with an entity reference.

= CVE-2014-3574: XML Entity Expansion (XEE) problem in Apache POI's OpenXML parser =
Type: Denial of service
Description: Apache POI uses Java's XML components and Apache Xmlbeans to parse OpenXML files
produced by Microsoft Office products (DOCX, XLSX, PPTX,...). Applications that accept such
files from end-users are vulnerable to XML Entity Expansion (XEE) attacks ("XML bombs"), which
allows remote hackers to consume large amounts of CPU resources.

The Apache POI PMC released a bugfix version (3.10.1) today.

Here is the Lucene/Solr recommended course of action (which we will have to map to MCF):

{code}
- Delete the following files in your "solr-4.X.X/contrib/extraction/lib" folder: 
	# poi-3.10-beta2.jar
	# poi-ooxml-3.10-beta2.jar
	# poi-ooxml-schemas-3.10-beta2.jar
	# poi-scratchpad-3.10-beta2.jar
	# xmlbeans-2.3.0.jar
- Copy the following files from the base folder of the Apache POI distribution to the "solr-4.X.X/contrib/extraction/lib"
folder: 
	# poi-3.10.1-20140818.jar
	# poi-ooxml-3.10.1-20140818.jar
	# poi-ooxml-schemas-3.10.1-20140818.jar
	# poi-scratchpad-3.10.1-20140818.jar
- Copy "xmlbeans-2.6.0.jar" from POI's "ooxml-lib/" folder to the "solr-4.X.X/contrib/extraction/lib"
folder.
- Verify that the "solr-4.X.X/contrib/extraction/lib" no longer contains any files with version
number "3.10-beta2".
{code}

I will research whether all of these jars exist in Maven at this time; if they do, we should
fix this problem in MCF 1.7.




--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message