oss-sec mailing list archives
CVE-2017-12626 – Denial of Service Vulnerabilities in Apache POI < 3.17
From: Tim Allison <tallison () apache org>
Date: Fri, 26 Jan 2018 19:31:27 +0000 (UTC)
Title: CVE-2017-12626 – Denial of Service Vulnerabilities in Apache POI < 3.17 Severity: Important Vendor: The Apache Software Foundation Versions affected: versions prior to version 3.17 Description: Apache POI versions prior to release 3.17 are vulnerable to Denial of Service Attacks: * Infinite Loops while parsing specially crafted WMF, EMF, MSG and macros (POI bugs 61338 [0] and 61294 [1]) * Out of Memory Exceptions while parsing specially crafted DOC, PPT and XLS (POI bugs 52372 [2] and 61295 [3]) Mitigation: Users with applications which accept content from external or untrusted sources are advised to upgrade to Apache POI 3.17 or newer. -Tim Allison on behalf of the Apache POI PMC [0] https://bz.apache.org/bugzilla/show_bug.cgi?id=61338 [1] https://bz.apache.org/bugzilla/show_bug.cgi?id=61294 [2] https://bz.apache.org/bugzilla/show_bug.cgi?id=52372 [3] https://bz.apache.org/bugzilla/show_bug.cgi?id=61295
Current thread:
- CVE-2017-12626 – Denial of Service Vulnerabilities in Apache POI < 3.17 Tim Allison (Jan 26)