CVE-2014-3574
Denial of Service vulnerability in poi (Maven)
What is CVE-2014-3574 About?
This is a Denial of Service vulnerability in Apache POI, affecting versions before 3.10.1 and 3.11.x before 3.11-beta2. It allows remote attackers to cause CPU consumption and crashes via a crafted OOXML file, often referred to as an XML Entity Expansion (XEE) attack. Exploitation is relatively easy by supplying a malicious file.
Affected Software
- org.apache.poi:poi
- <3.10.1
- >3.11-beta1, <3.11-beta2
Technical Details
Apache POI versions before 3.10.1 and 3.11.x before 3.11-beta2 are vulnerable to a denial of service through an XML Entity Expansion (XEE) attack when processing crafted OOXML files. An attacker can create an OOXML document that contains multiple nested or recursive XML entity references. When the vulnerable Apache POI library attempts to parse this document, the XML parser expands these entities, leading to an exponential increase in data size and memory consumption. This excessive resource usage can cause high CPU consumption, memory exhaustion, and ultimately lead to a crash of the application, thereby causing a denial of service.
What is the Impact of CVE-2014-3574?
Successful exploitation may allow attackers to consume excessive CPU and memory resources, leading to a denial of service (application crash or unresponsiveness) for applications processing crafted files.
What is the Exploitability of CVE-2014-3574?
Exploitation is of low complexity. It requires remote access, specifically the ability to provide a crafted OOXML file to a system or user that processes it with the vulnerable Apache POI library. No prior authentication or specific privileges are required beyond the ability to submit the malicious file. The primary prerequisite is the processing of untrusted OOXML documents. The risk is high in environments where untrusted documents are processed automatically or by users, as it can lead to system instability.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2014-3574?
Available Upgrade Options
- org.apache.poi:poi
- <3.10.1 → Upgrade to 3.10.1
- org.apache.poi:poi
- >3.11-beta1, <3.11-beta2 → Upgrade to 3.11-beta2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- http://poi.apache.org/changes.html
- http://www.apache.org/dist/poi/release/RELEASE-NOTES.txt
- http://rhn.redhat.com/errata/RHSA-2014-1398.html
- https://lucene.apache.org/solr/solrnews.html#18-august-2014-recommendation-to-update-apache-poi-in-apache-solr-480-481-and-490-installations
- http://secunia.com/advisories/60419
- http://www-01.ibm.com/support/docview.wss?uid=swg21996759
- http://rhn.redhat.com/errata/RHSA-2014-1400.html
- http://rhn.redhat.com/errata/RHSA-2014-1370.html
- https://svn.apache.org/repos/asf/poi/trunk@1615731
- https://osv.dev/vulnerability/GHSA-5wfp-8643-c58x
What are Similar Vulnerabilities to CVE-2014-3574?
Similar Vulnerabilities: CVE-2013-4002 , CVE-2014-9527 , CVE-2015-0810 , CVE-2016-5018 , CVE-2017-7660
