CVE-2017-12626
Denial of Service vulnerability in org.apache.poi:poi
What is CVE-2017-12626 About?
Apache POI versions prior to 3.17 are vulnerable to Denial of Service (DoS) attacks. These attacks can manifest as infinite loops during parsing of crafted files like WMF, EMF, MSG, and macros, or as Out of Memory exceptions when parsing malformed DOC, PPT, and XLS files. Exploiting these vulnerabilities typically requires a specially crafted document to be processed by Apache POI.
Affected Software
Technical Details
Apache POI, in versions before 3.17, suffers from multiple denial of service vulnerabilities. Specifically, two main types of attacks are identified: 1. Infinite Loops: When parsing crafted WMF, EMF, MSG, or macro files (referenced as POI bugs 61338 and 61294), the internal parsing logic enters an endless loop, consuming CPU cycles indefinitely and rendering the application unresponsive. 2. Out of Memory (OOM) Exceptions: When processing specially crafted DOC, PPT, or XLS files (referenced as POI bugs 52372 and 61295), the library attempts to allocate an excessive amount of memory, exceeding available resources and causing the application to crash with an Out of Memory error. Both scenarios lead to a denial of service condition by either locking up the process or terminating it entirely.
What is the Impact of CVE-2017-12626?
Successful exploitation may allow attackers to cause the application to become unresponsive due to infinite loops or crash due to out-of-memory errors, leading to a denial of service for legitimate users.
What is the Exploitability of CVE-2017-12626?
Exploitation of this vulnerability typically involves low to medium complexity. It requires an attacker to provide a specially crafted malicious document (e.g., WMF, EMF, MSG, macro, DOC, PPT, or XLS) to an application that uses Apache POI for document processing. No authentication is strictly required on the application itself if it processes untrusted documents from external sources. The attack is usually remote, as the attacker delivers the malicious file to the target system. Privilege requirements are minimal, as the vulnerability lies in the parsing logic. The primary constraint is that the target application must be configured to process office documents using a vulnerable version of Apache POI. The likelihood of exploitation heightens in systems that automatically process or preview untrusted office files.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2017-12626?
Available Upgrade Options
- org.apache.poi:poi
- <3.17 → Upgrade to 3.17
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- http://www.securityfocus.com/bid/102879
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://access.redhat.com/errata/RHSA-2018:1322
- https://lists.apache.org/thread.html/453d9af5dbabaccd9afb58d27279a9dbfe8e35f4e5ea1645ddd6960b%40%3Cdev.poi.apache.org%3E
- https://www.oracle.com/security-alerts/cpujan2020.html
- https://www.oracle.com/security-alerts/cpuapr2020.html
What are Similar Vulnerabilities to CVE-2017-12626?
Similar Vulnerabilities: CVE-2017-16129 , CVE-2016-10542 , CVE-2018-1000537 , CVE-2018-3721 , CVE-2015-1779
