Apache POI CVE-2014-3574 Denial Of Service Vulnerability

Bugtraq ID:	69648
Class:	Failure to Handle Exceptional Conditions
CVE:	CVE-2014-3574
Remote:	Yes
Local:	No
Published:	Sep 03 2014 12:00AM
Updated:	Dec 20 2016 12:12AM
Credit:	Stefan Kopf, Mike Boufford, Mohamed Ramadan, and Christian Schneider.
Vulnerable:	IBM WebSphere Dashboard Framework 7.0.1 IBM Web Experience Factory 8.0 3 IBM Web Experience Factory 8.5.0.1 IBM Web Experience Factory 8.5 IBM Web Experience Factory 8.0 IBM Tivoli Service Request Manager - IBM Tivoli Integration Composer 0 IBM Tivoli Change And Configuration Management Database 0 IBM Tivoli Asset Management for IT 0 IBM SmartCloud Control Desk 0 IBM QRadar 7.2 IBM QRadar 7.1 IBM PredictiveInsight 9.0 IBM PredictiveInsight 8.6 IBM Maximo for Utilities 0 IBM Maximo for Transportation 0 IBM Maximo for Oil and Gas 0 IBM Maximo for Nuclear Power 0 IBM Maximo for Life Sciences 0 IBM Maximo for Government 0 IBM Maximo for Energy Optimization 0 IBM Maximo for Aviation 0 IBM Maximo Asset Management 7.5 6 IBM Maximo Asset Management 7.5 .0 IBM Maximo Asset Management 7.1.1 IBM Maximo Asset Management 7.6 IBM Maximo Asset Management 7.5.0.5 IBM Maximo Asset Management 7.5.0.4 IBM Maximo Asset Management 7.5.0.3 IBM Maximo Asset Management 7.5.0.2 IBM Maximo Asset Management 7.5.0.10 IBM Maximo Asset Management 7.5.0.1 IBM Maximo Asset Management 7.1 Apache POI 3.1.4 Apache POI 3.0.1 Apache POI 2.5 Apache POI 0.14 Apache POI 0.13 Apache POI 0.12 Apache POI 3.8 Beta5 Apache POI 3.8 Beta4 Apache POI 3.8 Beta3 Apache POI 3.8 Beta2 Apache POI 3.8 Beta1 Apache POI 3.8 Apache POI 3.7 Beta3 Apache POI 3.7 Beta2 Apache POI 3.7 Beta1 Apache POI 3.7 Apache POI 3.6 Apache POI 3.5 Beta6 Apache POI 3.5 Beta5 Apache POI 3.5 Beta4 Apache POI 3.5 Beta3 Apache POI 3.5 Beta2 Apache POI 3.5 Beta1 Apache POI 3.2 Apache POI 3.10.1 Apache POI 3.1 Beta2 Apache POI 3.1 Beta1 Apache POI 3.0.2 Beta2 Apache POI 3.0.2 Beta1 Apache POI 3.0.2 Apache POI 3.0 Alpha3 Apache POI 3.0 Alpha2 Apache POI 3.0 Alpha1 Apache POI 2.5.1 Apache POI 2.0 Rc2 Apache POI 2.0 RC1 Apache POI 2.0 Pre3 Apache POI 2.0 Pre2 Apache POI 2.0 Pre1 Apache POI 1.8 Dev Apache POI 1.7 Dev Apache POI 1.5.1 Apache POI 1.2.0 Apache POI 1.10 Dev Apache POI 1.1.0 Apache POI 1.0.2 Apache POI 1.0.1 Apache POI 1.0.0 Apache POI 0.7 Apache POI 0.6 Apache POI 0.5 Apache POI 0.4 Apache POI 0.3 Apache POI 0.2 Apache POI 0.11.0 Apache POI 0.10.0 Apache POI 0.1
Not Vulnerable:	Apache Apache POI 3.10.1 Apache Apache POI 3.11-beta2

Apache POI CVE-2014-3574 Denial Of Service Vulnerability

Apache POI is prone to a remote denial-of-service vulnerability.

Attackers may leverage this issue to crash the affected application, denying service to legitimate users.

Apache POI CVE-2014-3574 Denial Of Service Vulnerability

Currently, we are not aware of any working exploits. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].

Apache POI CVE-2014-3574 Denial Of Service Vulnerability

Solution:
Updates are available. Please see the references or vendor advisory for more information.

Apache POI CVE-2014-3574 Denial Of Service Vulnerability

References:

• Apache POI - the Java API for Microsoft Documents (Apache Software Foundation)
  
• History of Changes (Apache Software Foundation)
  
• The Apache POI project release of POI 3.10.1-20140818. (Apache Software Foundation)
  
• XML External Entity (XXE) problem in Apache POI's OpenXML parser (Apache Software Foundation)
  
• swg21989525: Multiple vulnerabilities in Apache POI affect Asset and Service Man (IBM)
  
• swg21991839: IBM WebSphere Dashboard Framework is affected by multiple security (IBM)
  
• swg21991845: IBM Web Experience Factory is affected by multiple security vulnera (IBM)
  
• swg21991969: Multiple vulnerabilities in Apache POI affect IBM PredictiveInsight (IBM)
  
• swg21994719: Apache POI as used in IBM QRadar SIEM is vulnerable to various CVEs (IBM)