Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM290C060BD17539D47F8AE4FA124A502DCA6F923ED27052EA6D217021FB065F37
HistoryJun 15, 2018 - 10:48 p.m.

Security Bulletin: IBM OpenPages GRC Platform has addressed multiple Apache POI vulnerabilities (CVE-2017-5644, CVE-2016-5000, CVE-2014-3574)

2018-06-1522:48:15
www.ibm.com
11

0.014 Low

EPSS

Percentile

86.4%

JSON

Summary

IBM OpenPages GRC Platform has addressed potential security exposure due to multiple vulnerabilities in Apache POI library.

Vulnerability Details

CVE-ID: CVE-2017-5644
Description: Apache POI is vulnerable to a denial of service, cause by an XML External Entity Injection (XXE) error when processing XML data. By using a specially-crafted OOXML file, a remote attacker could exploit this vulnerability to consume all available CPU resources.
CVSS Base Score: 5.3
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/123699 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2016-5000**
DESCRIPTION:** Apache POI could allow a remote attacker to obtain sensitive information, caused by an XML External Entity Injection (XXE) error when XLSX2CSV example uses Javaโ€™s XML components to parse OpenXML files. An attacker could exploit this vulnerability using an XML document containing an external entity reference to read arbitrary files on the system.
CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/115530&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)

CVEID: CVE-2014-3574**
DESCRIPTION:** Apache POI is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. An attacker could exploit this vulnerability using a specially-crafted OOXML file to consume all available CPU resources and cause a denial of service.
CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/95768&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)

Affected Products and Versions

IBM OpenPages GRC Platform versions 7.1 through 7.3

Remediation/Fixes

A fix has been created for each affected version of the named product. Download and install the fix as soon as possible. Fixes and installation instructions are provided at the URLs listed below:

Fix Download URL
For OpenPages GRC Platform 7.3.0
- Apply 7.3 Fix Pack 1 (7.3.0.1) or later http://www.ibm.com/support/docview.wss?uid=swg24043595
For OpenPages GRC Platform 7.2.0 through 7.2.0.4
- Apply 7.2 Fix Pack 5 (7.2.0.5) or later http://www.ibm.com/support/docview.wss?uid=swg24043802
For OpenPages GRC Platform 7.1.0 through 7.1.0.3
- Apply 7.1 Fix Pack 4 (7.1.0.4) or later http://www.ibm.com/support/docview.wss?uid=swg24043897

For OpenPages GRC Platform v7.0.x customers, IBM recommends upgrading to a fixed, supported version/release/platform of the product.

Workarounds and Mitigations

None known, apply fixes.

Related

ibm 33
cve 3
debiancve 3
cvelist 3
prion 3
veracode 1
nvd 3
github 3
ubuntucve 3
osv 4
redhatcve 1
redhat 5
openvas 4
nessus 3
fedora 4
mageia 1
oracle 2
ibm
ibm
Security Bulletin: IBM Forms Experience Builder could be susceptible to Apache POI Vulnerabilities
2018-06-16 20:07:27
Security Bulletin: Atlas eDiscovery Process Management is affected by a vulnerable poi-ooxml-3.9.jar
2023-05-08 08:37:05
Security Bulletin: Vulnerabilities found in poi-ooxml-3.9.jar which is shipped with IBMยฎ Intelligent Operations Center(CVE-2017-5644, CVE-2019-12415, CVE-2014-3574, CVE-2014-3529)
2023-09-05 12:52:50
cve
cve
CVE-2017-5644
2017-03-24 14:59:00
CVE-2016-5000
2016-08-05 14:59:10
CVE-2014-3574
2014-09-04 17:55:05
debiancve
debiancve
CVE-2017-5644
2017-03-24 14:59:00
CVE-2014-3574
2014-09-04 17:55:05
CVE-2016-5000
2016-08-05 14:59:10
cvelist
cvelist
CVE-2017-5644
2017-03-24 14:00:00
CVE-2014-3574
2014-09-04 17:00:00
CVE-2016-5000
2016-08-05 14:00:00
prion
prion
Design/Logic Flaw
2017-03-24 14:59:00
Xxe
2016-08-05 14:59:00
Design/Logic Flaw
2014-09-04 17:55:00
veracode
veracode
Denial Of Service (DoS) Via XML External Expansion (XEE)
2017-03-22 01:45:07
nvd
nvd
CVE-2017-5644
2017-03-24 14:59:00
CVE-2014-3574
2014-09-04 17:55:05
CVE-2016-5000
2016-08-05 14:59:10
github
github
Improper Restriction of Recursive Entity References in DTDs in Apache POI
2022-05-13 01:14:24
Improper Input Validation in Apache POI
2022-05-17 01:24:36
Apache POI's XLSX2CSV Example XML External Entity (XXE) Vulnerability
2022-05-13 01:14:25
ubuntucve
ubuntucve
CVE-2017-5644
2017-03-24 00:00:00
CVE-2014-3574
2014-09-04 00:00:00
CVE-2016-5000
2016-08-05 00:00:00
osv
osv
Improper Restriction of Recursive Entity References in DTDs in Apache POI
2022-05-13 01:14:24
CVE-2017-5644
2017-03-24 14:59:00
Apache POI's XLSX2CSV Example XML External Entity (XXE) Vulnerability
2022-05-13 01:14:25
redhatcve
redhatcve
CVE-2016-5000
2016-07-25 09:18:24
redhat
redhat
(RHSA-2014:1400) Moderate: Apache POI security update
2014-10-13 16:38:47
(RHSA-2014:1399) Moderate: Apache POI security update
2014-10-13 16:38:20
(RHSA-2014:1398) Moderate: Apache POI security update
2014-10-13 16:37:40
openvas
openvas
Mageia: Security Advisory (MGASA-2014-0550)
2022-01-28 00:00:00
Fedora Update for apache-poi FEDORA-2015-2087
2015-02-25 00:00:00
Fedora Update for apache-poi FEDORA-2014-10322
2014-09-20 00:00:00
nessus
nessus
Fedora 21 : apache-poi-3.10.1-2.fc21 (2015-2087)
2015-02-24 00:00:00
Fedora 21 : apache-poi-3.10.1-1.fc21 (2014-10171)
2014-09-29 00:00:00
Fedora 20 : apache-poi-3.10.1-1.fc20 (2014-10322)
2014-09-10 00:00:00
fedora
fedora
[SECURITY] Fedora 21 Update: apache-poi-3.10.1-1.fc21
2014-09-27 10:07:00
[SECURITY] Fedora 20 Update: apache-poi-3.10.1-1.fc20
2014-09-19 10:14:54
[SECURITY] Fedora 21 Update: apache-poi-3.10.1-2.fc21
2015-02-23 08:01:19
mageia
mageia
Updated apache-poi packages fix security vulnerabilities
2014-12-26 20:04:58
oracle
oracle
Oracle Critical Patch Update Advisory - October 2020
2020-10-20 00:00:00
Oracle Critical Patch Update Advisory - January 2017
2017-01-17 00:00:00

0.014 Low

EPSS

Percentile

86.4%

JSON
Related for 290C060BD17539D47F8AE4FA124A502DCA6F923ED27052EA6D217021FB065F37
ibm33cve3debiancve3cvelist3prion3veracode1nvd3github3ubuntucve3osv4redhatcve1redhat5openvas4nessus3fedora4mageia1oracle2