[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] =?UTF-8?Q?CVE-2017-12626_=E2=80=93_Denial_of_Service_?= =?UTF-8?Q?Vulnerabilities_in_
From:       Tim Allison <tallison () apache ! org>
Date:       2018-01-26 19:31:27
Message-ID: 1190211676.1193152.1516995087060 () mail ! yahoo ! com
[Download RAW message or body]

Title: CVE-2017-12626 – Denial of Service Vulnerabilities in Apache POI < 3.17

Severity: Important

Vendor: The Apache Software Foundation

Versions affected: versions prior to version 3.17

Description:     
      Apache POI versions prior to release 3.17 are vulnerable to Denial of Service Attacks:
      * Infinite Loops while parsing specially crafted WMF, EMF, MSG and macros
               (POI bugs 61338 [0] and 61294 [1])
      * Out of Memory Exceptions while parsing specially crafted DOC, PPT and XLS  
               (POI bugs 52372 [2] and 61295 [3])


Mitigation:   Users with applications which accept content from external or untrusted sources \
are advised to upgrade to Apache POI 3.17 or newer.

-Tim Allison

on behalf of the Apache POI PMC

  

[0] https://bz.apache.org/bugzilla/show_bug.cgi?id=61338
[1] https://bz.apache.org/bugzilla/show_bug.cgi?id=61294
[2] https://bz.apache.org/bugzilla/show_bug.cgi?id=52372
[3] https://bz.apache.org/bugzilla/show_bug.cgi?id=61295


[prev in list] [next in list] [prev in thread] [next in thread]