[RHSA-2014:1399-01] Moderate: Apache POI security update

bugzilla at redhat.com bugzilla at redhat.com
Mon Oct 13 21:14:15 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: Apache POI security update
Advisory ID:       RHSA-2014:1399-01
Product:           Red Hat JBoss BPM Suite
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2014-1399.html
Issue date:        2014-10-13
CVE Names:         CVE-2014-3529 CVE-2014-3574 
=====================================================================

1. Summary:

An update for the Apache POI component that fixes two security issues is
now available from the Red Hat Customer Portal for Red Hat JBoss BPM Suite
6.0.3.

Red Hat Product Security has rated this update as having Moderate security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.

2. Description:

Apache POI is a library providing Java API for working with OOXML document
files.

It was found that Apache POI would resolve entities in OOXML documents.
A remote attacker able to supply OOXML documents that are parsed by Apache
POI could use this flaw to read files accessible to the user running the
application server, and potentially perform more advanced XML External
Entity (XXE) attacks. (CVE-2014-3529)

It was found that Apache POI would expand an unlimited number of entities
in OOXML documents. A remote attacker able to supply OOXML documents that
are parsed by Apache POI could use this flaw to trigger a denial of service
attack via excessive CPU and memory consumption. (CVE-2014-3574)

All users of Red Hat JBoss BPM Suite 6.0.3 as provided from the Red Hat
Customer Portal are advised to apply this security update.

3. Solution:

The References section of this erratum contains a download link (you must
log in to download the updates). Before applying the updates, back up your
existing installation, including all applications, configuration files,
databases and database settings, and so on.

It is recommended to halt the server by stopping the JBoss Application
Server process before installing this update, and then after installing
the update, restart the server by starting the JBoss Application Server
process.

4. Bugs fixed (https://bugzilla.redhat.com/):

1138135 - CVE-2014-3529 apache-poi: XML eXternal Entity (XXE) flaw
1138140 - CVE-2014-3574 apache-poi: entity expansion (billion laughs) flaw

5. References:

https://www.redhat.com/security/data/cve/CVE-2014-3529.html
https://www.redhat.com/security/data/cve/CVE-2014-3574.html
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=bpm.suite&downloadType=distributions&version=6.0.3

6. Contact:

The Red Hat security contact is <secalert at redhat.com>.  More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2014 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFUPECZXlSAg2UNWIIRAivPAJ9edFU/svnIaYZYoG3EAgsb/qBLTwCeIUOm
4usrH1s9uTDFqjpLnbIX6D4=
=uxv6
-----END PGP SIGNATURE-----





More information about the Jboss-watch-list mailing list