Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id A0110200C68 for ; Wed, 3 May 2017 21:34:17 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 9E9A9160BB5; Wed, 3 May 2017 19:34:17 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id E6435160BA1 for ; Wed, 3 May 2017 21:34:16 +0200 (CEST) Received: (qmail 53893 invoked by uid 500); 3 May 2017 19:34:11 -0000 Mailing-List: contact user-help@poi.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "POI Users List" Delivered-To: mailing list user@poi.apache.org Received: (qmail 53870 invoked by uid 99); 3 May 2017 19:34:11 -0000 Received: from mail-relay.apache.org (HELO mail-relay.apache.org) (140.211.11.15) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 03 May 2017 19:34:11 +0000 Received: from mail-io0-f181.google.com (mail-io0-f181.google.com [209.85.223.181]) by mail-relay.apache.org (ASF Mail Server at mail-relay.apache.org) with ESMTPSA id B54691A0280 for ; Wed, 3 May 2017 19:34:10 +0000 (UTC) Received: by mail-io0-f181.google.com with SMTP id p24so17319327ioi.0 for ; Wed, 03 May 2017 12:34:10 -0700 (PDT) X-Gm-Message-State: AN3rC/6HpupZZ5ntYg3xwkhIUlDdxWj687c+qIfd3V9QvTzB0+jccGYb pzwidbLf7SpAc1BGH5C8IFuhS43xKA== X-Received: by 10.157.12.42 with SMTP id 39mr10562811otr.71.1493840050076; Wed, 03 May 2017 12:34:10 -0700 (PDT) MIME-Version: 1.0 Received: by 10.157.11.241 with HTTP; Wed, 3 May 2017 12:34:09 -0700 (PDT) Received: by 10.157.11.241 with HTTP; Wed, 3 May 2017 12:34:09 -0700 (PDT) In-Reply-To: References: From: "Javen O'Neal" Date: Wed, 3 May 2017 12:34:09 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: Details on new vulnerability against Apache POI usage ? To: POI Users List Content-Type: multipart/alternative; boundary=94eb2c04f09c89467e054ea3bdf4 archived-at: Wed, 03 May 2017 19:34:17 -0000 --94eb2c04f09c89467e054ea3bdf4 Content-Type: text/plain; charset=UTF-8 If you read the CVE, POI 3.15 and earlier are vulnerable to hand-crafted XML attacks. See Billion Laughs [1]. These won't exist in an XML file by accident--they're deliberately added by someone with malicious intent or someone copying the XML contents of an untrustworthy file without checking the contents. The consequence is a denial of service, either by exhausting available memory (which will thrash the JVM's garbage collector until the JVM figures out that there isn't enough memory that can be gc'd to allocate the requested memory), or a denial of service by pegging the CPU doing work that grows exponentially, whichever DoS vector occurs first. [1] Billion Laughs example https://en.wikipedia.org/wiki/Billion_laughs#Code_example On May 3, 2017 06:38, "Andreas Beeker" wrote: > > We specifically use POI ONLY for extracting data from Microsoft Excel > sheets ... > Do you trust and know the people/programs generating those Excel sheets? > Yes -> no need to upgrade > No -> upgrade! > > > PS: Sorry for the double posting ... it was in the wrong list .... > > > --94eb2c04f09c89467e054ea3bdf4--