CVE-2008-3437
Summary
| CVE | CVE-2008-3437 |
|---|
| State | PUBLIC |
|---|
| Assigner | [email protected] |
|---|
| Source Priority | CVE Program / NVD first with legacy fallback |
|---|
| Published | 2008-08-01 14:41:00 UTC |
|---|
| Updated | 2008-09-05 21:43:00 UTC |
|---|
| Description | OpenOffice.org (OOo) before 2.1.0 does not properly verify the authenticity of updates, which allows man-in-the-middle attackers to execute arbitrary code via a Trojan horse update, as demonstrated by evilgrade and DNS cache poisoning. |
|---|
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|
| www.infobyte.com.ar/down/isr-evilgrade-1.0.0.tar.gz |
MISC |
www.infobyte.com.ar |
|
| www.infobyte.com.ar/down/Francisco%20Amato%20-%20evilgrade%20-%20ENG.pdf |
MISC |
www.infobyte.com.ar |
|
| OpenOffice Update Component Lack of Digital Signatures Lets Remote Users Install Arbitrary Code in Certain Cases - SecurityTracker |
SECTRACK |
securitytracker.com |
|
| 20080728 Tool release: [evilgrade] - Using DNS cache poisoning to exploit poor update implementations |
FULLDISC |
archives.neohapsis.com |
|
| CVE Program record |
CVE.ORG |
www.cve.org |
canonical |
| NVD vulnerability detail |
NVD |
nvd.nist.gov |
canonical, analysis |
Vendor Comments And Credit
| Organization | Published | Contributor | Statement |
|---|
| Red Hat | 2008-08-04 | Tomas Hoger | Not vulnerable. This issue did not affect the versions of OpenOffice.org as shipped with Red Hat Enterprise Linux 3, 4, or 5. The updated Red Hat Enterprise Linux packages are not distributed via the openoffice.org update service, but rather via Red Hat Network, using the package manager capabilities to verify authenticity of updates. |
There are currently no legacy QID mappings associated with this CVE.
