CVE-2014-9527
Denial of Service vulnerability in poi (Maven)
What is CVE-2014-9527 About?
This vulnerability is a Denial of Service affecting Apache POI through specially crafted PPT files. It can lead to an infinite loop and deadlock, rendering the application unresponsive. Exploitation is relatively easy as it only requires providing a malicious file.
Affected Software
Technical Details
HSLFSlideShow in Apache POI versions before 3.11 is vulnerable to a denial of service. Attackers can craft a malicious PowerPoint (PPT) file which, when processed by the affected software, triggers an infinite loop and subsequently a deadlock condition. This exhausts system resources or locks up processing threads, causing the application to become unresponsive and effectively denying service to legitimate users trying to process or open the file.
What is the Impact of CVE-2014-9527?
Successful exploitation may allow attackers to cause applications using the vulnerable library to enter an unresponsive state, leading to disruption of service for users.
What is the Exploitability of CVE-2014-9527?
Exploitation of this vulnerability is of low complexity. It requires remote access and no prior authentication or specific privileges. The attacker needs to deliver a specially crafted PPT file to a user or system that processes it with the vulnerable Apache POI library. The primary risk factor is the processing of untrusted PPT files within an affected application. No special conditions are required beyond the file processing itself.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2014-9527?
Available Upgrade Options
- org.apache.poi:poi
- <3.11 → Upgrade to 3.11
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- http://www.securityfocus.com/bid/77726
- http://poi.apache.org/changes.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-February/150228.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-February/150228.html
- https://access.redhat.com/errata/RHSA-2016:1135
- http://www-01.ibm.com/support/docview.wss?uid=swg21996759
- http://secunia.com/advisories/61953
- http://secunia.com/advisories/61953
- http://www-01.ibm.com/support/docview.wss?uid=swg21996759
- https://nvd.nist.gov/vuln/detail/CVE-2014-9527
What are Similar Vulnerabilities to CVE-2014-9527?
Similar Vulnerabilities: CVE-2014-3574 , CVE-2015-2156 , CVE-2017-5645 , CVE-2017-7660 , CVE-2021-39230
