- Issued:
- 2014-10-13
- Updated:
- 2014-10-13
RHSA-2014:1398 - Moderate: Apache POI security update
Synopsis
Moderate: Apache POI security update
Type/Severity
Security Advisory Moderate
Topic
An update for the Apache POI component that fixes two security issues is now available from the Red Hat Customer Portal for Red Hat JBoss Data Virtualization 6.0.0.
Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.
Description
Apache POI is a library providing Java API for working with OOXML document files.
It was found that Apache POI would resolve entities in OOXML documents. A remote attacker able to supply OOXML documents that are parsed by Apache POI could use this flaw to read files accessible to the user running the application server, and potentially perform more advanced XML External Entity (XXE) attacks. (CVE-2014-3529)
It was found that Apache POI would expand an unlimited number of entities in OOXML documents. A remote attacker able to supply OOXML documents that are parsed by Apache POI could use this flaw to trigger a denial of service attack via excessive CPU and memory consumption. (CVE-2014-3574)
All users of Red Hat JBoss Data Virtualization 6.0.0 as provided from the Red Hat Customer Portal are advised to apply this security update.
Solution
The References section of this erratum contains a download link (you must log in to download the updates). Before applying the updates, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.
It is recommended to halt the server by stopping the JBoss Application Server process before installing this update, and then after installing the update, restart the server by starting the JBoss Application Server process.
Affected Products
| Product | Version | Arch |
|---|---|---|
| Red Hat JBoss Middleware | Text-Only Advisories | x86_64 |
Fixes
CVEs
References
- https://access.redhat.com/security/updates/classification/#moderate
- This content is not included.This content is not included.https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.services.platform&downloadType=securityPatches&version=6.0.0
Additional information
- The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
- Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.