Republished without change. This advisory, originally posted
on 2015-11-04, died in a moderation queue and did not reach
the list. The announce@openoffice.apache.org is the official
mailing list for Apache OpenOffice security advisories, as
specified at <http://www.openoffice.org/security/alerts.html>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NOTICE: APACHE OPENOFFICE SECURITY ADVISORY
CVE-2015-4551: TARGETED DATA DISCLOSURE
FIXED IN APACHE OPENOFFICE 4.1.2
CVE-2015-4551
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2015-4551>
Apache OpenOffice Advisory
<https://www.openoffice.org/security/cves/CVE-2015-4551.html>
Title: Targeted Data Disclosure
Version 1.0
Announced 2015-11-04
A vulnerability in OpenOffice settings of OpenDocument Format
files and templates allows silent access to files that are
readable from an user account, over-riding the user's default
configuration settings. Once these files are imported into a
maliciously-crafted document, the data can be silently hidden
in the document and possibly exported to an external party
without being observed.
Severity: Important
There are no known exploits of this vulnerability.
A proof-of-concept demonstration exists.
Vendor: The Apache Software Foundation
Versions Affected:
All Apache OpenOffice versions 4.1.1 and older are affected.
OpenOffice.org versions are also affected.
Related
CVE-2014-3575
<https://www.openoffice.org/security/cves/CVE-2014-3575.html>
CVE-2012-0037
<https://www.openoffice.org/security/cves/CVE-2012-0037.html>
Mitigation
Apache OpenOffice users are urged to download and install Apache
OpenOffice version 4.1.2 or later.
Apache OpenOffice 4.1.2 mitigates this vulnerability by ignoring
in-document settings that over-ride default behavior when accessing
data beyond the document itself. The automatic default behavior
is changed to make such access evident to the user, who must then
approve the access.
Nature of Attack
This vulnerability requires an exquisitely crafted attack to
locate targeted files, silently retrieve them, and then deliver
their data in a manner that escapes notice. Knowledge of the
user's system and specific configuration is generally required.
Precautions
In addition to keeping Apache OpenOffice updated, users can reduce
the threat of this kind of data access from ODF documents. Keep
documents and sensitive materials separate from common,
predictable locations, including on networks. Require
additional access permissions for access to sensitive materials
even when operating under the user's normal account.
Further Information
For additional information and assistance, consult the Apache
OpenOffice Community Forums, <https://forum.openoffice.org/>,
or make requests to the <mailto:us...@openoffice.apache.org>
public mailing list.
The latest information on Apache OpenOffice security bulletins
can be found at <http://www.openoffice.org/security/bulletin.html>.
Credits
The Apache OpenOffice security team thanks Federico "fox" Scrinzi
for reporting the defect and Stephan Bergmann of Red Hat for
analysis and a repair solution.
PGP key Fingerprint 04D0 4322 979B 84DE 1077 0334 F96E 89FF D456 628A
<https://people.apache.org/keys/committer/orcmid.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBAgAGBQJWOpZCAAoJEPluif/UVmKKrI4H/0NqbgMzqfEVjXyFla2yjVKK
DAHXd6/LlVTggSDWJxnUnBEqGbZH3Jchm9WNzAym9j1uuAU/XTHQdZr5OU0JAh6w
W+9WcEvXSAUUx0eY+FZIZKAAinmSb9ITn5QjVnmYO7RDAULrl5/tC3TrVYbhPzdY
8cAzx0gy38HArFqJA/Gn89q25w5/1UwrO8rwQE9JmgCeAXiUFCbiurGxpqJxa9YI
oo/pgs9CJfRVu6riRc2Sdglbc4g4gy9zip7F8lxa8diaJOA8ZGkxwNnIDUbX3jTH
VVQ9ws6bQQzup7eLvV/LSdohGosWcOU2VM0mp3D8JIwq5TF5i7KBQmFFyC595k4=
=gVz2
-----END PGP SIGNATURE-----
