CVE-2022-26336
Out of Memory vulnerability in poi-scratchpad (Maven)
What is CVE-2022-26336 About?
This is an Out of Memory (OOM) vulnerability in the poi-scratchpad package of Apache POI when processing HMEF files. A specially crafted TNEF file can cause an application to consume excessive memory, leading to a crash. It is easy to exploit if untrusted TNEF files are processed.
Affected Software
Technical Details
The vulnerability resides in the HMEF package within poi-scratchpad (Apache POI), which is responsible for parsing TNEF files (e.g., Microsoft Outlook and Exchange Server data). An attacker can craft a malicious TNEF file containing data structures designed to consume an inordinate amount of memory when parsed by the affected library. When an application using poi-scratchpad attempts to process such a file, it will allocate an excessive amount of memory, eventually exceeding available resources and triggering an Out of Memory exception, causing the application to terminate or become unresponsive.
What is the Impact of CVE-2022-26336?
Successful exploitation may allow attackers to render the application unresponsive or crash it, leading to a denial of service.
What is the Exploitability of CVE-2022-26336?
Exploitation is of low complexity, requiring an attacker to provide a malicious TNEF file to an application that uses poi-scratchpad for parsing. There are no authentication or privilege requirements beyond the ability to submit a file for processing. This is typically a remote attack if the application allows untrusted users to upload or submit TNEF files. The main risk factor is an application processing untrusted TNEF files without proper validation or resource limits.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-26336?
Available Upgrade Options
- org.apache.poi:poi-scratchpad
- >3.8-beta1, <5.2.1 → Upgrade to 5.2.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.apache.org/thread/sprg0kq986pc2271dc3v2oxb1f9qx09j
- https://lists.apache.org/thread/sprg0kq986pc2271dc3v2oxb1f9qx09j
- https://security.netapp.com/advisory/ntap-20221028-0006
- https://nvd.nist.gov/vuln/detail/CVE-2022-26336
- https://security.netapp.com/advisory/ntap-20221028-0006/
- https://osv.dev/vulnerability/GHSA-mqvp-7rrg-9jxc
What are Similar Vulnerabilities to CVE-2022-26336?
Similar Vulnerabilities: CVE-2021-38297 , CVE-2020-13957 , GHSA-r8cc-g7j8-xxpm , CVE-2018-11776 , CVE-2016-2183
