CVE-2017-5644
XML Entity Expansion (XEE) vulnerability in poi (Maven)
What is CVE-2017-5644 About?
Apache POI versions prior to 3.15 are vulnerable to an XML Entity Expansion (XEE) attack when processing specially crafted OOXML files. This can lead to a denial of service by consuming excessive CPU resources. Exploitation is achieved by providing a malicious OOXML file to an application that uses the vulnerable Apache POI library.
Affected Software
Technical Details
The vulnerability is an XML Entity Expansion (XEE) attack, a type of XML External Entity (XXE) attack variant, that specifically targets OOXML files processed by Apache POI. An attacker crafts an OOXML document (e.g., a '.docx', '.xlsx', or '.pptx' file) containing deeply nested or excessively large XML entities. When Apache POI attempts to parse this document, the XML parser recursively expands these entities, leading to a rapid consumption of CPU time and memory. This intensive processing causes the application to slow down or become unresponsive, resulting in a denial of service for legitimate users. The issue stems from the XML parser in Apache POI not adequately limiting the expansion of XML entities, especially when encountering recursive or massively expanded internal entities.
What is the Impact of CVE-2017-5644?
Successful exploitation may allow attackers to cause a denial of service by consuming excessive CPU and memory resources.
What is the Exploitability of CVE-2017-5644?
Exploitation involves an attacker crafting a malicious OOXML file and providing it to an application that processes such files using an affected version of Apache POI. The complexity is low to medium, as creating the malicious file requires knowledge of XML and OOXML structures. No authentication is required if the application accepts and processes untrusted OOXML files from unauthenticated sources. Privilege requirements are low. This is typically a remote vulnerability if the file is uploaded, emailed, or otherwise delivered to the target system remotely, or a local vulnerability if the attacker needs to manually place the file on the system. The primary risk factor is the deployment of applications that process untrusted documents with vulnerable versions of Apache POI without proper XML parsing configuration.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2017-5644?
Available Upgrade Options
- org.apache.poi:poi
- <3.15 → Upgrade to 3.15
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2017-5644
- https://www.oracle.com/security-alerts/cpuoct2020.html
- http://www.securityfocus.com/bid/96983
- http://poi.apache.org/#20+March+2017+-+CVE-2017-5644+-+Possible+DOS+%28Denial+of+Service%29+in+Apache+POI+versions+prior+to+3.15
- https://www.oracle.com/security-alerts/cpuoct2020.html
- http://poi.apache.org/#20+March+2017+-+CVE-2017-5644+-+Possible+DOS+%28Denial+of+Service%29+in+Apache+POI+versions+prior+to+3.15
- http://www.securityfocus.com/bid/96983
- https://osv.dev/vulnerability/GHSA-78vv-qj73-h9m5
What are Similar Vulnerabilities to CVE-2017-5644?
Similar Vulnerabilities: CVE-2018-11784 , CVE-2018-1327 , CVE-2019-12415 , CVE-2020-13936 , CVE-2020-1935
