Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM0B000A0891A3DD2B6FEEDDE868C5765ECFB2CF839563136900F2FFB29F7ED71C
HistoryMay 08, 2023 - 8:37 a.m.

Security Bulletin: Atlas eDiscovery Process Management is affected by a vulnerable poi-ooxml-3.9.jar

2023-05-0808:37:05
www.ibm.com
18
atlas ediscovery process management
vulnerable
poi-ooxml-3.9.jar
upgrade
fix
apache poi
cve-2017-5644
cve-2019-12415
cve-2014-3574
cve-2014-3529
xml external entity injection
denial of service

7.1 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:N/I:N/A:C

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

0.014 Low

EPSS

Percentile

86.3%

JSON

Summary

Atlas eDiscovery Process Management is affected by a vulnerable poi-ooxml-3.9.jar. Hence poi-ooxml-3.9.jar upgraded to poi-ooxml-4.0.jar to fix vulnerabilities.

Vulnerability Details

CVEID:CVE-2017-5644
**DESCRIPTION:**Apache POI is vulnerable to a denial of service, cause by an XML External Entity Injection (XXE) error when processing XML data. By using a specially-crafted OOXML file, a remote attacker could exploit this vulnerability to consume all available CPU resources.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/123699 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2019-12415
**DESCRIPTION:**Apache POI could allow a remote attacker to obtain sensitive information, caused by an XML external entity (XXE) error when processing XML data by tool XSSFExportToXml. By sending a specially-crafted document, a remote attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/170015 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID:CVE-2014-3574
**DESCRIPTION:**Apache POI is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. An attacker could exploit this vulnerability using a specially-crafted OOXML file to consume all available CPU resources and cause a denial of service.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/95768 for the current score.
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)

CVEID:CVE-2014-3529
**DESCRIPTION:**Apache POI could allow a remote attacker to obtain sensitive information, caused by an XML External Entity Injection (XXE) error within the OPC SAX setup. An attacker could exploit this vulnerability using a specially-crafted OpenXML file containing an XML external entity declaration to read arbitrary files on the system.
CVSS Base score: 5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/95770 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
Atlas eDiscovery Process Management 6.0.3

Remediation/Fixes

_ Product_

|

_ VRMF_

|

_ Remediation/First Fix_

โ€”|โ€”|โ€”

Atlas eDiscovery Process Management

|

6.0.3

|

Apply Fix Pack 6.0.3.9 Interim fix 7, available from Fix Central

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmatlas_ediscovery_process_managementMatch6.0.3.9

Related

ibm 42
openvas 4
redhat 6
fedora 4
mageia 1
nessus 10
cve 4
debiancve 4
cvelist 4
prion 4
veracode 2
nvd 4
github 4
ubuntucve 4
osv 6
redhatcve 1
symantec 1
oracle 11
ibm
ibm
Security Bulletin: Vulnerabilities found in poi-ooxml-3.9.jar which is shipped with IBMยฎ Intelligent Operations Center(CVE-2017-5644, CVE-2019-12415, CVE-2014-3574, CVE-2014-3529)
2023-09-05 12:52:50
Security Bulletin: IBM OpenPages GRC Platform has addressed multiple Apache POI vulnerabilities (CVE-2017-5644, CVE-2016-5000, CVE-2014-3574)
2018-06-15 22:48:15
Security Bulletin: IBM Forms Experience Builder could be susceptible to Apache POI Vulnerabilities
2018-06-16 20:07:27
openvas
openvas
Fedora Update for apache-poi FEDORA-2015-2087
2015-02-25 00:00:00
Fedora Update for apache-poi FEDORA-2014-10322
2014-09-20 00:00:00
Mageia: Security Advisory (MGASA-2014-0550)
2022-01-28 00:00:00
redhat
redhat
(RHSA-2014:1399) Moderate: Apache POI security update
2014-10-13 16:38:20
(RHSA-2014:1398) Moderate: Apache POI security update
2014-10-13 16:37:40
(RHSA-2014:1400) Moderate: Apache POI security update
2014-10-13 16:38:47
fedora
fedora
[SECURITY] Fedora 21 Update: apache-poi-3.10.1-1.fc21
2014-09-27 10:07:00
[SECURITY] Fedora 20 Update: apache-poi-3.10.1-1.fc20
2014-09-19 10:14:54
[SECURITY] Fedora 21 Update: apache-poi-3.10.1-2.fc21
2015-02-23 08:01:19
mageia
mageia
Updated apache-poi packages fix security vulnerabilities
2014-12-26 20:04:58
nessus
nessus
Fedora 21 : apache-poi-3.10.1-1.fc21 (2014-10171)
2014-09-29 00:00:00
Fedora 21 : apache-poi-3.10.1-2.fc21 (2015-2087)
2015-02-24 00:00:00
Fedora 20 : apache-poi-3.10.1-1.fc20 (2014-10322)
2014-09-10 00:00:00
cve
cve
CVE-2017-5644
2017-03-24 14:59:00
CVE-2014-3529
2014-09-04 17:55:05
CVE-2019-12415
2019-10-23 20:15:12
debiancve
debiancve
CVE-2017-5644
2017-03-24 14:59:00
CVE-2019-12415
2019-10-23 20:15:12
CVE-2014-3574
2014-09-04 17:55:05
cvelist
cvelist
CVE-2017-5644
2017-03-24 14:00:00
CVE-2019-12415
2019-10-23 19:27:20
CVE-2014-3529
2014-09-04 17:00:00
prion
prion
Design/Logic Flaw
2017-03-24 14:59:00
Xxe
2019-10-23 20:15:00
Xxe
2014-09-04 17:55:00
veracode
veracode
Denial Of Service (DoS) Via XML External Expansion (XEE)
2017-03-22 01:45:07
XML External Entity (XXE)
2019-10-24 07:13:29
nvd
nvd
CVE-2017-5644
2017-03-24 14:59:00
CVE-2019-12415
2019-10-23 20:15:12
CVE-2014-3529
2014-09-04 17:55:05
github
github
Improper Restriction of Recursive Entity References in DTDs in Apache POI
2022-05-13 01:14:24
Improper Restriction of XML External Entity Reference in Apache POI
2022-05-24 16:59:46
Improper Restriction of XML External Entity Reference in Apache POI
2022-05-17 01:24:40
ubuntucve
ubuntucve
CVE-2017-5644
2017-03-24 00:00:00
CVE-2019-12415
2019-10-23 00:00:00
CVE-2014-3574
2014-09-04 00:00:00
osv
osv
Improper Restriction of Recursive Entity References in DTDs in Apache POI
2022-05-13 01:14:24
CVE-2017-5644
2017-03-24 14:59:00
Improper Restriction of XML External Entity Reference in Apache POI
2022-05-24 16:59:46
redhatcve
redhatcve
CVE-2019-12415
2020-02-13 11:44:58
symantec
symantec
Apache POI CVE-2019-12415 XML External Entity Information Disclosure Vulnerability
2019-10-23 00:00:00
oracle
oracle
Oracle Critical Patch Update Advisory - October 2020
2020-10-20 00:00:00
Oracle Critical Patch Update Advisory - January 2023
2023-01-17 00:00:00
Oracle Critical Patch Update Advisory - January 2021
2021-01-19 00:00:00

7.1 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:N/I:N/A:C

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

0.014 Low

EPSS

Percentile

86.3%

JSON
Related for 0B000A0891A3DD2B6FEEDDE868C5765ECFB2CF839563136900F2FFB29F7ED71C
ibm42openvas4redhat6fedora4mageia1nessus10cve4debiancve4cvelist4prion4veracode2nvd4github4ubuntucve4osv6redhatcve1symantec1oracle11