==================================================================== CERT-Renater Note d'Information No. 2012/VULN150 ____________________________________________________________________ DATE : 23/03/2012 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S) : Systems running OpenOffice.org versions up to and including 3.3, 3.4 Beta. ====================================================================== http://www.openoffice.org/security/cves/CVE-2012-0037.html ______________________________________________________________________ CVE-2012-0037 OpenOffice.org data leakage vulnerability Severity: Important Vendor: The Apache Software Foundation Versions Affected: o OpenOffice.org 3.3 and 3.4 Beta, on all platforms. o Earlier versions may be also affected. Description: Description: An XML External Entity (XXE) attack is possible in the above versions of OpenOffice.org. This vulnerability exploits the way in which external entities are processed in certain XML components of ODF documents. By crafting an external entity to refer to other local file system resources, an attacker would be able to inject contents of other locally- accessible files into the ODF document, without the user's knowledge or permission. Data leakage then becomes possible when that document is later distributed to other parties. Mitigation OpenOffice.org 3.3.0 and 3.4 beta users can patch their installation with the following patches. Download, unzip and follow the instructions in the enclosed readme.pdf file. o For Windows installs (MD5) (SHA1) o For MacOS installs (MD5) (SHA1) o Linux and other platforms should consult their distro or OS vendor for patch instructions. This vulnerability is also fixed in Apache OpenOffice 3.4 dev snapshots since March 1st, 2012. Verifying the Integrity of Downloaded Files We have provided MD5 and SHA1 hashes of these patches, as well as a detached digital signature, for those who wish to verify the integrity of these files. The MD5 and SHA1 hashes can be verified using Unix tools like sha1, sha1sum or md5sum. The PGP signatures can be verified using PGP or GPG. First download the KEYS file, as well as the asc signature file for the particular patch from above. Make sure you get these files from the main distribution directory, rather than from a mirror. Then verify the signatures as follows: % pgpk -a KEYS % pgpv CVE-2012-0037-{win|mac}.zip.asc or % pgp -ka KEYS % pgp CVE-2012-0037-{win|mac}.zip.asc or % gpg --import KEYS % gpg --verify CVE-2012-0037-{win|mac}.zip.asc Source and Building Information on obtaining the source code for this patch, and for porting it or adapting it to OpenOffice.org derivatives can be found here. Credit: The Apache OpenOffice project acknowledges and thanks the discoverer of this issue, Timothy D. Morgan of Virtual Security Research, LLC. ====================================================================== ========================================================= Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================