Apache POI OpenXML parser CVE-2014-3529 XML External Entity Information Disclosure Vulnerability
BID:69647
CVE-2014-3529 |Info
Apache POI OpenXML parser CVE-2014-3529 XML External Entity Information Disclosure Vulnerability
| Bugtraq ID: | 69647 |
| Class: | Design Error |
| CVE: |
CVE-2014-3529 |
| Remote: | Yes |
| Local: | No |
| Published: | Aug 18 2014 12:00AM |
| Updated: | Dec 20 2016 12:12AM |
| Credit: | Stefan Kopf, Mike Boufford, Mohamed Ramadan, and Christian Schneider |
| Vulnerable: |
IBM QRadar 7.2 IBM QRadar 7.1 IBM PredictiveInsight 9.0 IBM PredictiveInsight 8.6 Apache POI 3.1.4 Apache POI 3.0.1 Apache POI 2.5 Apache POI 2.0 Apache POI 0.14 Apache POI 0.13 Apache POI 0.12 Apache POI 3.8 Beta5 Apache POI 3.8 Beta4 Apache POI 3.8 Beta3 Apache POI 3.8 Beta2 Apache POI 3.8 Beta1 Apache POI 3.8 Apache POI 3.7 Beta3 Apache POI 3.7 Beta2 Apache POI 3.7 Beta1 Apache POI 3.7 Apache POI 3.6 Apache POI 3.5 Beta6 Apache POI 3.5 Beta5 Apache POI 3.5 Beta4 Apache POI 3.5 Beta3 Apache POI 3.5 Beta2 Apache POI 3.5 Beta1 Apache POI 3.2 Apache POI 3.1 Beta2 Apache POI 3.1 Beta1 Apache POI 3.0.2 Beta2 Apache POI 3.0.2 Beta1 Apache POI 3.0.2 Apache POI 3.0 Alpha3 Apache POI 3.0 Alpha2 Apache POI 3.0 Alpha1 Apache POI 2.5.1 Apache POI 2.5 Apache POI 2.0 Rc2 Apache POI 2.0 RC1 Apache POI 2.0 Pre3 Apache POI 2.0 Pre2 Apache POI 2.0 Pre1 Apache POI 1.8 Dev Apache POI 1.7 Dev Apache POI 1.5.1 Apache POI 1.5 Apache POI 1.2.0 Apache POI 1.10 Dev Apache POI 1.1.0 Apache POI 1.0.2 Apache POI 1.0.1 Apache POI 1.0.0 Apache POI 0.7 Apache POI 0.6 Apache POI 0.5 Apache POI 0.4 Apache POI 0.3 Apache POI 0.2 Apache POI 0.11.0 Apache POI 0.10.0 Apache POI 0.1 |
| Not Vulnerable: |
Apache POI 3.10.1 |
Discussion
Apache POI OpenXML parser CVE-2014-3529 XML External Entity Information Disclosure Vulnerability
Apache POI is prone to an information-disclosure vulnerability.
An attacker can exploit this issue to gain access to sensitive information that may lead to further attacks.
Versions prior to Apache POI 3.10.1 are vulnerable.
Apache POI is prone to an information-disclosure vulnerability.
An attacker can exploit this issue to gain access to sensitive information that may lead to further attacks.
Versions prior to Apache POI 3.10.1 are vulnerable.
Exploit / POC
Apache POI OpenXML parser CVE-2014-3529 XML External Entity Information Disclosure Vulnerability
Currently, we are not aware of any working exploits. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].
Currently, we are not aware of any working exploits. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].
Solution / Fix
Apache POI OpenXML parser CVE-2014-3529 XML External Entity Information Disclosure Vulnerability
Solution:
Updates are available. Please see the references or vendor advisory for more information.
Solution:
Updates are available. Please see the references or vendor advisory for more information.
References
Apache POI OpenXML parser CVE-2014-3529 XML External Entity Information Disclosure Vulnerability
References:
References:
- Apache POI - the Java API for Microsoft Documents (Apache Software Foundation)
- The Apache POI project release of POI 3.10.1-20140818. (Apache Software Foundation)
- XML External Entity (XXE) problem in Apache POI's OpenXML parser (Apache Software Foundation)
- swg21991969: Multiple vulnerabilities in Apache POI affect IBM PredictiveInsight (IBM)
- swg21994719: Apache POI as used in IBM QRadar SIEM is vulnerable to various CVEs (IBM)