poi-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sateesh K Kolusu" <sateesh.kol...@in.ibm.com>
Subject Re: Details on new vulnerability against Apache POI usage ?
Date Wed, 03 May 2017 12:16:51 GMT
Thank you Dominik. Can you throw some light on what you mean by 
"So the vulnerability affects you if you are opening documents in the 
newer
format from an "untrusted" source, i.e. if you do not control how the 
files
are built."




---
Thanks in advance
Sateesh 



From:   Dominik Stadler <dominik.stadler@gmx.at>
To:     POI Users List <user@poi.apache.org>
Date:   04/27/2017 05:57 PM
Subject:        Re: Details on new vulnerability against Apache POI usage 
?



Hi,

the vulnerability was concerning the XML parsing of files in the newer
Microsoft document formats (i.e. xlsx, docx, pptx, ...). These files are
actually zip-files with a bunch of XML-files inside. There was a
possibility to create a specially crafted xml-file as part of such a file
POI could go out-of-memory while processing such a file. There is no
specific functionality involved to trigger it as the initial parsing of 
the
files during opening the document via Apache POI triggers the problem.

So the vulnerability affects you if you are opening documents in the newer
format from an "untrusted" source, i.e. if you do not control how the 
files
are built.

Let us know if you need more details.

Dominik.

On Thu, Apr 27, 2017 at 8:50 AM, Sateesh K Kolusu 
<sateesh.kolusu@in.ibm.com
> wrote:

> Hello  -
> Recently saw this vulnerability
> Apache POI in versions prior to release 3.15 allows remote attackers to
> cause a denial of service (CPU consumption) via a specially crafted 
OOXML
> file, aka an XML Entity Expansion (XEE) attack. Users with applications
> which accept content from external or untrusted sources are advised to
> upgrade to Apache POI 3.15 or newer.
>
> We recently migrated to 3.14 a couple of months back. Though 3.14 is
> affected as per the above text, can some one give additional details 
what
> exactly is this vulnerability and how it affects ?  Does usage of any
> Class or a method or a some particular formatted input affects that ? 
This
> will be more helpful to us in determining if 3.14 usage really affects 
or
> not.
>
>
> ---
> Thanks in advance
> Sateesh
>
>





Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message