===================================================================== CERT-Renater Note d'Information No. 2024/VULN001 _____________________________________________________________________ DATE : 03/01/2024 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Apache OpenOffice versions prior to 4.1.15. ===================================================================== https://lists.apache.org/thread/3j6xs365ldkjt16ysyj1rtsr5hfdzcyn https://lists.apache.org/thread/wh38q26r6r4zj13x9qndsd7n0mx56j66 https://lists.apache.org/thread/occ0f2nn5ozyx9bm8rdz2z397gmzdhdq https://lists.apache.org/thread/t9h901vrygzlh3ktqkkmbqj1jzy665ty _____________________________________________________________________ CVE-2023-47804: Apache OpenOffice: Macro URL arbitrary script execution Severity: important Affected versions: - Apache OpenOffice through 4.1.15 Description: Apache OpenOffice documents can contain links that call internal macros with arbitrary arguments. Several URI Schemes are defined for this purpose. Links can be activated by clicks, or by automatic document events. The execution of such links must be subject to user approval. In the affected versions of OpenOffice, approval for certain links is not requested; when activated, such links could therefore result in arbitrary script execution. This is a corner case of CVE-2022-47502. Credit: Amel BOUZIANE-LEBLOND aka Icare Bug Bounty Hunter (reporter) References: https://openoffice.apache.org/ https://www.cve.org/CVERecord?id=CVE-2023-47804 _____________________________________________________________________ CVE-2022-43680: Apache OpenOffice: "Use after free" fixed in libexpat Severity: Moderate Affected versions: - Apache OpenOffice through 4.1.15 Description: In libexpat through 2.4.9, there is a use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate in out-of-memory situations. References: https://openoffice.apache.org/ https://www.cve.org/CVERecord?id=CVE-2022-43680 Arrigo _____________________________________________________________________ CVE-2023-1183: Apache OpenOffice: Arbitrary file write in Apache OpenOffice Base Severity: Moderate Affected versions: - Apache OpenOffice through 4.1.15 Description: An attacker can craft an OBD containing a "database/script" file with a SCRIPT command where the contents of the file could be written to a new file whose location was determined by the attacker. There are no known exploits of this vulnerability. A proof-of-concept demonstration exists. Thanks to the reporter for discovering this issue. Credit: The Apache OpenOffice Security Team would like to thank Gregor Kopf of Secfault Security GmbH (Germany) for discovering and reporting this attack vector and Fred Toussi for kindly providing a solution to this issue within HSQLDB. References: https://openoffice.apache.org/ https://www.cve.org/CVERecord?id=CVE-2023-1183 Arrigo _____________________________________________________________________ CVE-2012-5639: Apache OpenOffice: Loading internal / external resources without warning Severity: Moderate Affected versions: - Apache OpenOffice through 4.1.15 Description: In Apache OpenOffice and LibreOffice embedded content will be opened automatically without that a warning is shown. Credit: The Apache OpenOffice Security Team would like to thank Timo Warns and Joachim Mammele for discovering and reporting this attack vector. References: https://openoffice.apache.org/ https://www.cve.org/CVERecord?id=CVE-2012-5639 Arrigo ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================