Language

The Free and Open Productivity Suite
Released: Apache OpenOffice 4.1.13

CVE-2022-37400

Apache OpenOffice Advisory

Static Initialization Vector Allows to Recover Passwords for Web Connections Without Knowing the Master Password

Fixed in Apache OpenOffice 4.1.13

Description

Apache OpenOffice supports the storage of passwords for web connections in the user's configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in OpenOffice existed where the required initialization vector for encryption was always the same which weakens the security of the encryption making them vulnerable if an attacker has access to the user's configuration data.

Severity: Moderate

There are no known exploits of this vulnerability.
A proof-of-concept demonstration exists.

Thanks to the reporter for discovering this issue.

Vendor: The Apache Software Foundation

Versions Affected

All Apache OpenOffice versions 4.1.12 and older are affected.
OpenOffice.org versions may also be affected.

Mitigation

Install Apache OpenOffice 4.1.13 for the latest maintenance and cumulative security fixes. Use the Apache OpenOffice download page.

Acknowledgments

The Apache OpenOffice Security Team would like to thank Selma Jabour, OpenSource Security GmbH, Germany on behalf of the German Federal Office for Information Security, for discovering and reporting this attack vector

Further Information

For additional information and assistance, consult the Apache OpenOffice Community Forums or make requests to the users@openoffice.apache.org public mailing list.

The latest information on Apache OpenOffice security bulletins can be found at the Bulletin Archive page.


Security Home-> Bulletin-> CVE-2022-37400

Apache Software Foundation

Copyright & License | Privacy | Contact Us | Donate | Thanks

Apache, OpenOffice, OpenOffice.org and the seagull logo are registered trademarks of The Apache Software Foundation. The Apache feather logo is a trademark of The Apache Software Foundation. Other names appearing on the site may be trademarks of their respective owners.