The Free and Open Productivity Suite
Apache OpenOffice 4.1.3 released

Java Applets, CVE-2006-2199

Java Applets

1. Impact

A security vulnerability related to OpenOffice.org documents may allow certain Java applets to break through the "sandbox" and therefore have full access to system resources with current user privileges. The offending Applets may be constructed to destroy/replace files, read or send private data, and/or cause additional security issues.

This issue is also described in
CVE-2006-2199, http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-2199,
Sun Alert 102475 http://sunsolve.sun.com/search/document.do?assetkey=1-26-102475-1

2. Contributing Factors

This issue can occur in the following releases:

OpenOffice.org 1.1.x, OpenOffice.org 2.0.x

3. Symptoms

There are no predictable symptoms that would indicate the described issue has been exploited.

4. Relief/Workaround

To work around the described issue, disable support for Java Applets (for OpenOffice.org) by doing the following:

OpenOffice.org 1.x :

In options dialog: Select --> Tools/Options/OpenOffice.org/Security --> uncheck "Enable Applets"

OpenOffice.org 2.x

There is no longer a User Interface (UI) for configuring this option in OpenOffice.org 2.0; the change must be done in configuration files with a text editor. Add the following into your OpenOffice.org settings (typically) for this file "~/.openoffice2.0/user/registry/data/org/openoffice/Office/Common.xcu":

<node oor:name="Java">
<node oor:name="Applet">
<prop oor:name="Enable" oor:type="xs:boolean">

5. Resolution

This issue is addressed in the following releases:

OpenOffice.org 1.1.5 Patch, OpenOffice.org 2.0.3


With the updated versions for OpenOffice.org, support for Java applets in OpenOffice.org will be disabled.


Security Home -> Bulletin -> CVE-2006-2199

Apache Feather

Copyright & License | Privacy | Website Feedback | Contact Us | Donate | Thanks

Apache and the Apache feather logo are trademarks of The Apache Software Foundation. OpenOffice, OpenOffice.org and the seagull logo are registered trademarks of The Apache Software Foundation. Other names appearing on the site may be trademarks of their respective owners.