Details on new vulnerability against Apache POI usage ?

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Details on new vulnerability against Apache POI usage ?

Sateesh K Kolusu
Hello  -
Recently saw this vulnerability
Apache POI in versions prior to release 3.15 allows remote attackers to
cause a denial of service (CPU consumption) via a specially crafted OOXML
file, aka an XML Entity Expansion (XEE) attack. Users with applications
which accept content from external or untrusted sources are advised to
upgrade to Apache POI 3.15 or newer.

We recently migrated to 3.14 a couple of months back. Though 3.14 is
affected as per the above text, can some one give additional details what
exactly is this vulnerability and how it affects ?  Does usage of any
Class or a method or a some particular formatted input affects that ? This
will be more helpful to us in determining if 3.14 usage really affects or
not.


---
Thanks in advance
Sateesh

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Details on new vulnerability against Apache POI usage ?

Allison, Timothy B.
If you're processing a specially crafted docx/xlsx/pptx (and their macro brethren), you could be vulnerable to:

https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing 

POI-colleagues, please correct me if I'm wrong, but you'd trigger this if you ran an extractor or even if you just opened the file with, say, XWPFDocument.

For the potential effects of this vulnerability, see:

http://thehackernews.com/2014/01/facebook-hacker-received-33500-reward.html 

https://blog.bugcrowd.com/advice-from-a-researcher-xxe/


-----Original Message-----
From: Sateesh K Kolusu [mailto:[hidden email]]
Sent: Thursday, April 27, 2017 2:50 AM
To: [hidden email]
Subject: Details on new vulnerability against Apache POI usage ?

Hello  -
Recently saw this vulnerability
Apache POI in versions prior to release 3.15 allows remote attackers to cause a denial of service (CPU consumption) via a specially crafted OOXML file, aka an XML Entity Expansion (XEE) attack. Users with applications which accept content from external or untrusted sources are advised to upgrade to Apache POI 3.15 or newer.

We recently migrated to 3.14 a couple of months back. Though 3.14 is affected as per the above text, can some one give additional details what exactly is this vulnerability and how it affects ?  Does usage of any Class or a method or a some particular formatted input affects that ? This will be more helpful to us in determining if 3.14 usage really affects or not.


---
Thanks in advance
Sateesh


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Details on new vulnerability against Apache POI usage ?

Dominik Stadler
In reply to this post by Sateesh K Kolusu
Hi,

the vulnerability was concerning the XML parsing of files in the newer
Microsoft document formats (i.e. xlsx, docx, pptx, ...). These files are
actually zip-files with a bunch of XML-files inside. There was a
possibility to create a specially crafted xml-file as part of such a file
POI could go out-of-memory while processing such a file. There is no
specific functionality involved to trigger it as the initial parsing of the
files during opening the document via Apache POI triggers the problem.

So the vulnerability affects you if you are opening documents in the newer
format from an "untrusted" source, i.e. if you do not control how the files
are built.

Let us know if you need more details.

Dominik.

On Thu, Apr 27, 2017 at 8:50 AM, Sateesh K Kolusu <[hidden email]
> wrote:

> Hello  -
> Recently saw this vulnerability
> Apache POI in versions prior to release 3.15 allows remote attackers to
> cause a denial of service (CPU consumption) via a specially crafted OOXML
> file, aka an XML Entity Expansion (XEE) attack. Users with applications
> which accept content from external or untrusted sources are advised to
> upgrade to Apache POI 3.15 or newer.
>
> We recently migrated to 3.14 a couple of months back. Though 3.14 is
> affected as per the above text, can some one give additional details what
> exactly is this vulnerability and how it affects ?  Does usage of any
> Class or a method or a some particular formatted input affects that ? This
> will be more helpful to us in determining if 3.14 usage really affects or
> not.
>
>
> ---
> Thanks in advance
> Sateesh
>
>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Details on new vulnerability against Apache POI usage ?

Sateesh K Kolusu
Thank you Dominik. Can you throw some light on what you mean by
"So the vulnerability affects you if you are opening documents in the
newer
format from an "untrusted" source, i.e. if you do not control how the
files
are built."




---
Thanks in advance
Sateesh



From:   Dominik Stadler <[hidden email]>
To:     POI Users List <[hidden email]>
Date:   04/27/2017 05:57 PM
Subject:        Re: Details on new vulnerability against Apache POI usage
?



Hi,

the vulnerability was concerning the XML parsing of files in the newer
Microsoft document formats (i.e. xlsx, docx, pptx, ...). These files are
actually zip-files with a bunch of XML-files inside. There was a
possibility to create a specially crafted xml-file as part of such a file
POI could go out-of-memory while processing such a file. There is no
specific functionality involved to trigger it as the initial parsing of
the
files during opening the document via Apache POI triggers the problem.

So the vulnerability affects you if you are opening documents in the newer
format from an "untrusted" source, i.e. if you do not control how the
files
are built.

Let us know if you need more details.

Dominik.

On Thu, Apr 27, 2017 at 8:50 AM, Sateesh K Kolusu
<[hidden email]
> wrote:

> Hello  -
> Recently saw this vulnerability
> Apache POI in versions prior to release 3.15 allows remote attackers to
> cause a denial of service (CPU consumption) via a specially crafted
OOXML
> file, aka an XML Entity Expansion (XEE) attack. Users with applications
> which accept content from external or untrusted sources are advised to
> upgrade to Apache POI 3.15 or newer.
>
> We recently migrated to 3.14 a couple of months back. Though 3.14 is
> affected as per the above text, can some one give additional details
what
> exactly is this vulnerability and how it affects ?  Does usage of any
> Class or a method or a some particular formatted input affects that ?
This
> will be more helpful to us in determining if 3.14 usage really affects
or
> not.
>
>
> ---
> Thanks in advance
> Sateesh
>
>




Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Details on new vulnerability against Apache POI usage ?

Dominik Stadler
Hi,

"Newer format" means .xlsx, .docx, .pptx files compared to .xls, .doc, .ppt
which are in a non-XML binary format and are NOT affected at all here.

It affects you if you process files provided by your users or other
external parties which you do not trust fully. It does NOT affect you if
the files are only ever produced in your own applications that you trust to
provide compliant documents.

It does NOT affect you if you only produce files and never import data from
such files in your application.

Dominik

On Wed, May 3, 2017 at 2:16 PM, Sateesh K Kolusu <[hidden email]>
wrote:

> Thank you Dominik. Can you throw some light on what you mean by
> "So the vulnerability affects you if you are opening documents in the
> newer
> format from an "untrusted" source, i.e. if you do not control how the
> files
> are built."
>
>
>
>
> ---
> Thanks in advance
> Sateesh
>
>
>
> From:   Dominik Stadler <[hidden email]>
> To:     POI Users List <[hidden email]>
> Date:   04/27/2017 05:57 PM
> Subject:        Re: Details on new vulnerability against Apache POI usage
> ?
>
>
>
> Hi,
>
> the vulnerability was concerning the XML parsing of files in the newer
> Microsoft document formats (i.e. xlsx, docx, pptx, ...). These files are
> actually zip-files with a bunch of XML-files inside. There was a
> possibility to create a specially crafted xml-file as part of such a file
> POI could go out-of-memory while processing such a file. There is no
> specific functionality involved to trigger it as the initial parsing of
> the
> files during opening the document via Apache POI triggers the problem.
>
> So the vulnerability affects you if you are opening documents in the newer
> format from an "untrusted" source, i.e. if you do not control how the
> files
> are built.
>
> Let us know if you need more details.
>
> Dominik.
>
> On Thu, Apr 27, 2017 at 8:50 AM, Sateesh K Kolusu
> <[hidden email]
> > wrote:
>
> > Hello  -
> > Recently saw this vulnerability
> > Apache POI in versions prior to release 3.15 allows remote attackers to
> > cause a denial of service (CPU consumption) via a specially crafted
> OOXML
> > file, aka an XML Entity Expansion (XEE) attack. Users with applications
> > which accept content from external or untrusted sources are advised to
> > upgrade to Apache POI 3.15 or newer.
> >
> > We recently migrated to 3.14 a couple of months back. Though 3.14 is
> > affected as per the above text, can some one give additional details
> what
> > exactly is this vulnerability and how it affects ?  Does usage of any
> > Class or a method or a some particular formatted input affects that ?
> This
> > will be more helpful to us in determining if 3.14 usage really affects
> or
> > not.
> >
> >
> > ---
> > Thanks in advance
> > Sateesh
> >
> >
>
>
>
>
>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Details on new vulnerability against Apache POI usage ?

Sateesh K Kolusu
Thank you for the prompt reply. We specifically use POI ONLY for
extracting data from Microsoft Excel sheets that has different column
definitions and writing data to Microsoft excel sheets ie., .xlsx formats
So as you said since we produce excel files here we are vulnerable ?

---
Thanks
Sateesh



From:   Dominik Stadler <[hidden email]>
To:     POI Users List <[hidden email]>
Date:   05/03/2017 06:14 PM
Subject:        Re: Details on new vulnerability against Apache POI usage
?



Hi,

"Newer format" means .xlsx, .docx, .pptx files compared to .xls, .doc,
.ppt
which are in a non-XML binary format and are NOT affected at all here.

It affects you if you process files provided by your users or other
external parties which you do not trust fully. It does NOT affect you if
the files are only ever produced in your own applications that you trust
to
provide compliant documents.

It does NOT affect you if you only produce files and never import data
from
such files in your application.

Dominik

On Wed, May 3, 2017 at 2:16 PM, Sateesh K Kolusu
<[hidden email]>
wrote:

> Thank you Dominik. Can you throw some light on what you mean by
> "So the vulnerability affects you if you are opening documents in the
> newer
> format from an "untrusted" source, i.e. if you do not control how the
> files
> are built."
>
>
>
>
> ---
> Thanks in advance
> Sateesh
>
>
>
> From:   Dominik Stadler <[hidden email]>
> To:     POI Users List <[hidden email]>
> Date:   04/27/2017 05:57 PM
> Subject:        Re: Details on new vulnerability against Apache POI
usage

> ?
>
>
>
> Hi,
>
> the vulnerability was concerning the XML parsing of files in the newer
> Microsoft document formats (i.e. xlsx, docx, pptx, ...). These files are
> actually zip-files with a bunch of XML-files inside. There was a
> possibility to create a specially crafted xml-file as part of such a
file
> POI could go out-of-memory while processing such a file. There is no
> specific functionality involved to trigger it as the initial parsing of
> the
> files during opening the document via Apache POI triggers the problem.
>
> So the vulnerability affects you if you are opening documents in the
newer

> format from an "untrusted" source, i.e. if you do not control how the
> files
> are built.
>
> Let us know if you need more details.
>
> Dominik.
>
> On Thu, Apr 27, 2017 at 8:50 AM, Sateesh K Kolusu
> <[hidden email]
> > wrote:
>
> > Hello  -
> > Recently saw this vulnerability
> > Apache POI in versions prior to release 3.15 allows remote attackers
to
> > cause a denial of service (CPU consumption) via a specially crafted
> OOXML
> > file, aka an XML Entity Expansion (XEE) attack. Users with
applications

> > which accept content from external or untrusted sources are advised to
> > upgrade to Apache POI 3.15 or newer.
> >
> > We recently migrated to 3.14 a couple of months back. Though 3.14 is
> > affected as per the above text, can some one give additional details
> what
> > exactly is this vulnerability and how it affects ?  Does usage of any
> > Class or a method or a some particular formatted input affects that ?
> This
> > will be more helpful to us in determining if 3.14 usage really affects
> or
> > not.
> >
> >
> > ---
> > Thanks in advance
> > Sateesh
> >
> >
>
>
>
>
>




Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Details on new vulnerability against Apache POI usage ?

kiwiwings
> We specifically use POI ONLY for extracting data from Microsoft Excel sheets ...
Do you trust and know the people/programs generating those Excel sheets?
Yes -> no need to upgrade
No -> upgrade!


PS: Sorry for the double posting ... it was in the wrong list ....



signature.asc (495 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Details on new vulnerability against Apache POI usage ?

Javen O'Neal-2
If you read the CVE, POI 3.15 and earlier are vulnerable to hand-crafted
XML attacks. See Billion Laughs [1]. These won't exist in an XML file by
accident--they're deliberately added by someone with malicious intent or
someone copying the XML contents of an untrustworthy file without checking
the contents.

The consequence is a denial of service, either by exhausting available
memory (which will thrash the JVM's garbage collector until the JVM figures
out that there isn't enough memory that can be gc'd to allocate the
requested memory), or a denial of service by pegging the CPU doing work
that grows exponentially, whichever DoS vector occurs first.

[1] Billion Laughs example
https://en.wikipedia.org/wiki/Billion_laughs#Code_example

On May 3, 2017 06:38, "Andreas Beeker" <[hidden email]> wrote:

> > We specifically use POI ONLY for extracting data from Microsoft Excel
> sheets ...
> Do you trust and know the people/programs generating those Excel sheets?
> Yes -> no need to upgrade
> No -> upgrade!
>
>
> PS: Sorry for the double posting ... it was in the wrong list ....
>
>
>
Loading...