poi-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Javen O'Neal" <one...@apache.org>
Subject Re: Details on new vulnerability against Apache POI usage ?
Date Wed, 03 May 2017 19:34:09 GMT
If you read the CVE, POI 3.15 and earlier are vulnerable to hand-crafted
XML attacks. See Billion Laughs [1]. These won't exist in an XML file by
accident--they're deliberately added by someone with malicious intent or
someone copying the XML contents of an untrustworthy file without checking
the contents.

The consequence is a denial of service, either by exhausting available
memory (which will thrash the JVM's garbage collector until the JVM figures
out that there isn't enough memory that can be gc'd to allocate the
requested memory), or a denial of service by pegging the CPU doing work
that grows exponentially, whichever DoS vector occurs first.

[1] Billion Laughs example

On May 3, 2017 06:38, "Andreas Beeker" <kiwiwings@apache.org> wrote:

> > We specifically use POI ONLY for extracting data from Microsoft Excel
> sheets ...
> Do you trust and know the people/programs generating those Excel sheets?
> Yes -> no need to upgrade
> No -> upgrade!
> PS: Sorry for the double posting ... it was in the wrong list ....

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message