[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2022-37401: Apache OpenOffice Weak Master Keys
From:       "Carl B. Marcum" <cmarcum () apache ! org>
Date:       2022-08-12 22:38:45
Message-ID: 7644e755-cfdd-5fa1-6e85-ea43ef69802b () apache ! org
[Download RAW message or body]

Severity: important

Description:

Apache OpenOffice supports the storage of passwords for web connections in =
the user's configuration database. The stored passwords are encrypted with =
a single master key provided by the user. A flaw in OpenOffice existed =
where master key was poorly encoded resulting in weakening its entropy from=
 128 to 43 bits making the stored passwords vulnerable to a brute force =
attack if an attacker has access to the users stored config. This issue =
affects: Apache OpenOffice versions prior to 4.1.13.  Reference: =
CVE-2022-26307 - LibreOffice

Credit:

 OpenSource Security GmbH on behalf of the German Federal Office for =
Information Security

References:

https://www.openoffice.org/security/cves/CVE-2022-37401.html

[prev in list] [next in list] [prev in thread] [next in thread]