Results 1 to 6 of 6
  1. #1
    Silver Lounger
    Join Date
    Mar 2014
    Location
    Forever West
    Posts
    2,072
    Thanks
    0
    Thanked 259 Times in 248 Posts

    OpenOffice Security Alert

    Got the following in an E-Mail a few minutes ago from Apache's OpenOffice.
    CVE-2015-1774

    OpenOffice HWP Filter Remote Code Execution and Denial of Service
    Vulnerability

    A vulnerability in OpenOffice's HWP filter allows attackers to cause a
    denial of service (memory corruption and application crash) or possibly
    execution of arbitrary code by preparing specially crafted documents in
    the HWP document format.

    Severity: Important

    Vendor: The Apache Software Foundation

    Versions Affected:

    All Apache OpenOffice versions 4.1.1 and older are affected.

    Mitigation:

    Apache OpenOffice users are advised to remove the problematic library in
    the "program" folder of their OpenOffice installation. On Windows it is
    named "hwp.dll", on Mac it is named "libhwp.dylib" and on Linux it is
    named "libhwp.so". Alternatively the library can be renamed to anything
    else e.g. "hwp_renamed.dll".
    This mitigation will drop AOO's support for documents created in "Hangul
    Word Processor" versions from 1997 or older. Users of such documents are
    advised to convert their documents to other document formats such as
    OpenDocument before doing so.

    Apache OpenOffice aims to fix the vulnerability in version 4.1.2.
    http://www.apache.org
    http://www.openoffice.org/

  2. The Following 2 Users Say Thank You to Berton For This Useful Post:

    biga (2015-04-27),satrow (2015-04-25)

  3. #2
    jwoods
    Guest
    I get email alerts from US-CERT.

    https://www.us-cert.gov/

    I didn't see the Open Office vulnerability listed there, or on the list of known issues for 4.1.1 on the Open Office website.

    That CVE appears to be assigned to LibreOffice...

    https://security-tracker.debian.org/.../CVE-2015-1774
    Last edited by jwoods; 2015-04-25 at 16:21.

  4. #3
    Super Moderator
    Join Date
    Jun 2011
    Location
    New England
    Posts
    4,746
    Thanks
    171
    Thanked 649 Times in 572 Posts
    Quote Originally Posted by jwoods View Post
    I didn't see the Open Office vulnerability listed there, or on the list of known issues for 4.1.1 on the Open Office website.
    It was an unknown issue in 4.1.1. They can't list those.

  5. #4
    jwoods
    Guest
    I guess it's a known issue now, since it was published in the email and has a CVE number assigned...

    "All Apache OpenOffice versions 4.1.1 and older are affected".

    Interesting that the CVE number doesn't match up with what has been published online.
    Last edited by jwoods; 2015-04-25 at 17:00.

  6. #5
    Super Moderator
    Join Date
    Jun 2011
    Location
    New England
    Posts
    4,746
    Thanks
    171
    Thanked 649 Times in 572 Posts
    Quote Originally Posted by jwoods View Post
    Interesting that the CVE number doesn't match up with what has been published online.
    I think it does. It's been reserved and probably applies to both OpenOffice and LibreOffice since they share heritage.

  7. #6
    jwoods
    Guest
    Maybe...the CVE link only included LibreOffice.

    The problem here is that if this is a genuine vulnerability notification, those that continue to download and install 4.1.1 are not being informed, either in the known issues page, or the security reports page.

    You can have the last word...I'm out.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •