[this announcement is available online at https://s.apache.org/4gj2y ]

Wilmington, DE —4 May 2021— 

Who: Apache OpenOffice, an Open Source office-document productivity suite 
comprising six productivity applications: Writer, Calc, Impress, Draw, Math, 
and Base. The OpenOffice suite is based around the OpenDocument Format (ODF), 
supports 41 languages, and ships for Windows, macOS, Linux 64-bit, and Linux 
32-bit. Apache OpenOffice delivers up to 2.4 Million downloads each month.

What: A recently reported vulnerability states that all versions of OpenOffice 
through 4.1.9 can open non-http(s) hyperlinks, and could lead to untrusted code 
execution. 

The Apache OpenOffice Project has filed a Common Vulnerabilities and Exposures 
report with MITRE Corporation’s national vulnerability reporting system:

> CVE-2021-30245: Code execution in Apache OpenOffice via non-http(s) schemes 
> in Hyperlinks
>
> Severity: moderate
>
>Credit: Fabian Bräunlein and Lukas Euler of Positive Security 
>https://positive.security/blog/url-open-rce#open-libreoffice

The complete CVE report is available at 
https://www.openoffice.org/security/cves/CVE-2021-30245.html

How: Applications of the OpenOffice suite handle non-http(s) hyperlinks in an 
insecure way, allowing for 1-click code execution on Windows and Xubuntu 
systems via malicious executable files hosted on Internet-accessible file 
shares.

Why: The mitigation in Apache OpenOffice 4.1.10 assures that a security warning 
is displayed to give users the option of continuing to open the hyperlink. Best 
practice dictates to be careful when opening documents from unknown and 
unverified sources. 

When: The vulnerability predates OpenOffice entering the Apache Incubator. 
During the analysis of this issue, it was discovered that an incorrect bug fix 
was made by the StarOffice/OpenOffice.org developers preparing OpenOffice 2.0 
in 2005, whilst under the auspices of Sun Microsystems. 

Where: Download Apache OpenOffice v4.1.10 at 
https://www.openoffice.org/download/

Apache OpenOffice Highlights

24 October 2020 — 300 million downloads of Apache OpenOffice
14 October 2020 — 20 year anniversary of OpenOffice
18 October 2016 — 200 million downloads of Apache OpenOffice
17 April 2014 — 100 million downloads of Apache OpenOffice
17 October 2012 — OpenOffice graduated as an Apache Top Level Project (TLP)
13 June 2011 — OpenOffice.org entered the Apache Incubator

[downloads are binary installation files]

For more information, visit https://openoffice.apache.org/ and 
https://twitter.com/ApacheOO

About The Apache Software Foundation (ASF)
Established in 1999, The Apache Software Foundation is the world’s largest Open 
Source foundation, stewarding 227M+ lines of code and providing more than $20B+ 
worth of software to the public at 100% no cost. The ASF’s all-volunteer 
community grew from 21 original founders overseeing the Apache HTTP Server to 
850+ individual Members and 200 Project Management Committees who successfully 
lead 350+ Apache projects and initiatives in collaboration with more than 8,100 
Committers through the ASF’s meritocratic process known as "The Apache Way". 
Apache software is integral to nearly every end user computing device, from 
laptops to tablets to mobile devices across enterprises and mission-critical 
applications. Apache projects power most of the Internet, manage exabytes of 
data, execute teraflops of operations, and store billions of objects in 
virtually every industry. The commercially-friendly and permissive Apache 
License v2 is an Open Source industry standard, helping launch billion dollar 
corporations and benefiting countless users worldwide. The ASF is a US 
501(c)(3) not-for-profit charitable organization funded by individual donations 
and corporate sponsors including Aetna, Alibaba Cloud Computing, Amazon Web 
Services, Anonymous, Baidu, Bloomberg, Budget Direct, Capital One, Cloudera, 
Comcast, Confluent, Didi Chuxing, Facebook, Google, Handshake, Huawei, IBM, 
Microsoft, Namebase, Pineapple Fund, Red Hat, Reprise Software, Target, 
Tencent, Union Investment, Verizon Media, and Workday. For more information, 
visit http://apache.org/ and https://twitter.com/TheASF

© The Apache Software Foundation. "Apache", "OpenOffice", "Apache OpenOffice", 
and "ApacheCon" are registered trademarks or trademarks of the Apache Software 
Foundation in the United States and/or other countries. All other brands and 
trademarks are the property of their respective owners.

# # #

NOTE: you are receiving this message because you are subscribed to the 
announce@apache.org distribution list. To unsubscribe, send email from the 
recipient account to announce-unsubscr...@apache.org with the word 
"Unsubscribe" in the subject line.

Reply via email to