English:

The Free and Open Productivity Suite
Apache OpenOffice 4.1.2 released

CVE-2015-4551

Apache OpenOffice Advisory

CVE-2015-4551: TARGETED DATA DISCLOSURE

Fixed in Apache OpenOffice 4.1.2

Version 1.0
Announced November 4, 2015

A vulnerability in OpenOffice settings of OpenDocument Format files and templates allows silent access to files that are readable from an user account, over-riding the user's default configuration settings. Once these files are imported into a maliciously-crafted document, the data can be silently hidden in the document and possibly exported to an external party without being observed.

Severity: Important

There are no known exploits of this vulnerabilty.
A proof-of-concept demonstration exists.

Vendor: The Apache Software Foundation

Versions Affected

All Apache OpenOffice versions 4.1.1 and older are affected.
OpenOffice.org versions are also affected.

Related: CVE-2014-3575 and CVE-2012-0037

Mitigation

Apache OpenOffice users are urged to download and install Apache OpenOffice version 4.1.2 or later.

Apache OpenOffice 4.1.2 mitigates this vulnerability by ignoring in-document settings that over-ride default behavior when accessing data beyond the document itself. The automatic default behavior is changed to make such access evident to the user, who must then approve the access.

Nature of Attack

This vulnerability requires an exquisitely crafted attack to locate targeted files, silently retrieve them, and then deliver their data in a manner that escapes notice. Knowledge of the user's system and specific configuration is generally required.

Precautions

In addition to keeping Apache OpenOffice updated, users can reduce the threat of this kind of data access from ODF documents. Keep documents and sensitive materials separate from common, predictable locations, including on networks. Require additional access permissions for access to sensitive materials even when operating under the user's normal account.

Further Information

For additional information and assistance, consult the Apache OpenOffice Community Forums or make requests to the users@openofffice.apache.org public mailing list.

The latest information on Apache OpenOffice security bulletins can be found at the Bulletin Archive page.

Credits

The Apache OpenOffice security team thanks Federico "fox" Scrinzi for reporting the defect and Stephan Bergmann of Red Hat for analysis and a repair solution.


Security Home -> Bulletin -> CVE-2015-4551

Apache Feather

Copyright & License | Privacy | Website Feedback | Contact Us | Donate | Thanks

Apache and the Apache feather logo are trademarks of The Apache Software Foundation. OpenOffice, OpenOffice.org and the seagull logo are registered trademarks of The Apache Software Foundation. Other names appearing on the site may be trademarks of their respective owners.