If you're processing a specially crafted docx/xlsx/pptx (and their macro brethren), you could be vulnerable to:
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing POI-colleagues, please correct me if I'm wrong, but you'd trigger this if you ran an extractor or even if you just opened the file with, say, XWPFDocument. For the potential effects of this vulnerability, see: http://thehackernews.com/2014/01/facebook-hacker-received-33500-reward.html https://blog.bugcrowd.com/advice-from-a-researcher-xxe/ -----Original Message----- From: Sateesh K Kolusu [mailto:[email protected]] Sent: Thursday, April 27, 2017 2:50 AM To: [email protected] Subject: Details on new vulnerability against Apache POI usage ? Hello - Recently saw this vulnerability Apache POI in versions prior to release 3.15 allows remote attackers to cause a denial of service (CPU consumption) via a specially crafted OOXML file, aka an XML Entity Expansion (XEE) attack. Users with applications which accept content from external or untrusted sources are advised to upgrade to Apache POI 3.15 or newer. We recently migrated to 3.14 a couple of months back. Though 3.14 is affected as per the above text, can some one give additional details what exactly is this vulnerability and how it affects ? Does usage of any Class or a method or a some particular formatted input affects that ? This will be more helpful to us in determining if 3.14 usage really affects or not. --- Thanks in advance Sateesh --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
