CVE-2014-3529
XML External Entity (XXE) vulnerability in poi (Maven)
What is CVE-2014-3529 About?
This is an XML External Entity (XXE) vulnerability in Apache POI before 3.10.1, specifically within the OPC SAX setup. It allows remote attackers to read arbitrary files by crafting an OpenXML file with an XML external entity declaration. Exploitation is relatively straightforward for an attacker who can supply malicious OpenXML documents.
Affected Software
Technical Details
The XML External Entity (XXE) vulnerability in Apache POI versions prior to 3.10.1 is found in the OPC (Open Packaging Conventions) SAX setup. When processing OpenXML files, the SAX parser does not properly disable external entity resolution. An attacker can embed an XML external entity declaration within an OpenXML document (e.g., a DOCX, XLSX, or PPTX file). This declaration can point to local files on the server (e.g., file:///etc/passwd). When the vulnerable Apache POI library parses this crafted document, the XML parser attempts to resolve the external entity, reading the content of the specified local file and embedding it into the parsed XML structure or potentially transmitting it back to a remote server controlled by the attacker if the entity points to a URL.
What is the Impact of CVE-2014-3529?
Successful exploitation may allow attackers to read arbitrary files from the server's file system, which can lead to information disclosure, access to sensitive configuration files, and potential further system compromise.
What is the Exploitability of CVE-2014-3529?
Exploitation complexity is moderate, requiring an attacker to craft a malicious OpenXML file containing the XXE payload. This attack is typically remote, as the attacker needs to provide the crafted file to the application. No authentication or elevated privileges are strictly required; the attacker merely needs a way to upload or submit a malicious OpenXML document for processing by Apache POI. Prerequisites include the application accepting and processing OpenXML documents using a vulnerable version of Apache POI. The primary constraint is the ability to introduce such a file into the application's processing pipeline. Risk factors are increased if the application widely accepts OpenXML document uploads from untrusted sources.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2014-3529?
Available Upgrade Options
- org.apache.poi:poi
- <3.10.1 → Upgrade to 3.10.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- http://poi.apache.org/changes.html
- http://www.apache.org/dist/poi/release/RELEASE-NOTES.txt
- http://rhn.redhat.com/errata/RHSA-2014-1398.html
- https://lucene.apache.org/solr/solrnews.html#18-august-2014-recommendation-to-update-apache-poi-in-apache-solr-480-481-and-490-installations
- http://secunia.com/advisories/60419
- http://www-01.ibm.com/support/docview.wss?uid=swg21996759
- http://rhn.redhat.com/errata/RHSA-2014-1400.html
- http://rhn.redhat.com/errata/RHSA-2014-1370.html
- https://exchange.xforce.ibmcloud.com/vulnerabilities/95770
- https://github.com/apache/poi/commit/236c3c52a9b90688b2e57ec503559409e29f33ed
What are Similar Vulnerabilities to CVE-2014-3529?
Similar Vulnerabilities: CVE-2017-3156 , CVE-2015-5219 , CVE-2016-8610 , CVE-2017-9878 , CVE-2018-1000868
