The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Oracle OpenOffice.org

computer vulnerability CVE-2016-5419 CVE-2016-5420 CVE-2016-5421

cURL: three vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of cURL.
Impacted products: SDS, SES, SNS, OpenOffice, Mac OS X, Brocade vTM, curl, Debian, Fedora, Android OS, Juniper EX-Series, Junos OS, SRX-Series, openSUSE, openSUSE Leap, Solaris, Puppet, RHEL, Slackware, Synology DS***, Synology RS***, Ubuntu.
Severity: 2/4.
Consequences: user access/rights, client access/rights, denial of service on service, denial of service on client.
Provenance: internet server.
Number of vulnerabilities in this bulletin: 3.
Creation date: 03/08/2016.
Identifiers: bulletinoct2016, cpuoct2018, CVE-2016-5419, CVE-2016-5420, CVE-2016-5421, DLA-586-1, DSA-3638-1, FEDORA-2016-24316f1f56, FEDORA-2016-8354baae0f, HT207423, JSA10874, openSUSE-SU-2016:2227-1, openSUSE-SU-2016:2379-1, RHSA-2016:2575-02, RHSA-2018:3558-01, SSA:2016-219-01, STORM-2019-002, USN-3048-1, VIGILANCE-VUL-20295.

Description of the vulnerability

Several vulnerabilities were announced in cURL.

The TLS client of libcurl can resume a session even if the client certificate changed, which may lead to the authentication with an incorrect identity. [severity:2/4; CVE-2016-5419]

The TLS client of libcurl can reuse a session even if the client certificate changed, which may lead to the authentication with an incorrect identity. [severity:2/4; CVE-2016-5420]

An attacker can force the usage of a freed memory area via curleasyinit(), in order to trigger a denial of service, and possibly to run code. [severity:2/4; CVE-2016-5421]
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2016-1513

OpenOffice.org Impress: memory corruption via MetaActions

Synthesis of the vulnerability

An attacker can create a malicious OpenOffice.org Impress document, and invite the victim to open it, in order to trigger a denial of service, and possibly to run code.
Impacted products: OpenOffice, Debian, Ubuntu.
Severity: 3/4.
Consequences: client access/rights, denial of service on client.
Provenance: document.
Creation date: 22/07/2016.
Identifiers: CERTFR-2016-AVI-263, CERTFR-2016-AVI-292, CVE-2016-1513, DLA-591-1, TALOS-2016-0051, USN-3046-1, VIGILANCE-VUL-20193.

Description of the vulnerability

The OpenOffice.org Impress program is used to create presentations.

However, a document containing a malicious MetaPolyPolygonAction can generate a fatal error.

An attacker can therefore create a malicious OpenOffice.org Impress document, and invite the victim to open it, in order to trigger a denial of service, and possibly to run code.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2016-4802

cURL: code execution via DLL searching

Synthesis of the vulnerability

An attacker can hijack the Winbdows DLL loading mechanism as used by cURL, in order to run code.
Impacted products: OpenOffice, curl, Juniper EX-Series, Junos OS, SRX-Series.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights, user access/rights.
Provenance: user shell.
Creation date: 30/05/2016.
Identifiers: CVE-2016-4802, JSA10874, VIGILANCE-VUL-19724.

Description of the vulnerability

The product cURL is a multiprotocol client library.

On MS-Windows platforms, cURL may load some system libraries dynamically, on demand. However, the Windows function used for that, namely LoadLibrary, defaults to an insecure search path, including unprotected locations. This allows a user to plant a DLL with the same name, as "ws2_32.dll", that the searched one. This library will be found before the real one.

An attacker can therefore hijack the Winbdows DLL loading mechanism as used by cURL, in order to run code.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2016-3739

cURL: Man-in-the-Middle of mbedTLS/PolarSSL

Synthesis of the vulnerability

An attacker can act as a Man-in-the-Middle on cURL compiled with mbedTLS/PolarSSL, in order to read or write data in the session.
Impacted products: OpenOffice, curl, Juniper EX-Series, Junos OS, SRX-Series, Solaris, Slackware.
Severity: 2/4.
Consequences: data reading, data creation/edition.
Provenance: internet server.
Creation date: 18/05/2016.
Identifiers: bulletinoct2016, cpuoct2018, CVE-2016-3739, JSA10874, SSA:2016-141-01, VIGILANCE-VUL-19645.

Description of the vulnerability

The cURL product uses the TLS protocol, which can be provided by the mbedTLS/PolarSSL library.

The mbedtls_ssl_set_hostname() or ssl_set_hostname() function has to be called to define the server name, otherwise the X.509 certificate check is not performed by mbedTLS/PolarSSL.

However, cURL does not call these functions when the requested url contains an IP address.

An attacker can therefore act as a Man-in-the-Middle on cURL compiled with mbedTLS/PolarSSL, in order to read or write data in the session.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2016-1521 CVE-2016-1522 CVE-2016-1526

Graphite: three vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Graphite.
Impacted products: OpenOffice, Debian, Fedora, LibreOffice, Firefox, openSUSE, openSUSE Leap, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Consequences: user access/rights, denial of service on client.
Provenance: document.
Number of vulnerabilities in this bulletin: 3.
Creation date: 15/02/2016.
Identifiers: CVE-2016-1521, CVE-2016-1522, CVE-2016-1526, DSA-3479-1, FEDORA-2016-338a7e9925, FEDORA-2016-4154a4d0ba, MFSA-2016-14, openSUSE-SU-2016:0791-1, openSUSE-SU-2016:0875-1, RHSA-2016:0197-01, RHSA-2016:0594-01, RHSA-2016:0598-01, SUSE-SU-2016:0779-1, USN-2902-1, VIGILANCE-VUL-18940.

Description of the vulnerability

Several vulnerabilities were announced in Graphite.

An attacker can generate a memory corruption in directmachine.cpp, in order to trigger a denial of service, and possibly to run code. [severity:2/4; CVE-2016-1521]

An attacker can generate a buffer overflow in Code.cpp, in order to trigger a denial of service, and possibly to run code. [severity:2/4; CVE-2016-1522]

An attacker can force a read at an invalid address in TtfUtil.cpp, in order to trigger a denial of service. [severity:1/4; CVE-2016-1526]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2016-0754

cURL: file change via HTTP response specifiant filenames whith colon

Synthesis of the vulnerability

An attacker who controls an HTTP server requested by a curl client can create of change files by sending filename with colon, in order for example to change an executable file.
Impacted products: OpenOffice, curl, Juniper EX-Series, Junos OS, SRX-Series.
Severity: 2/4.
Consequences: privileged access/rights, user access/rights, data creation/edition.
Provenance: internet server.
Creation date: 27/01/2016.
Identifiers: CVE-2016-0754, JSA10874, VIGILANCE-VUL-18827.

Description of the vulnerability

The cURL product includes a command line HTTP client.

It defines options to specify the path of the file to be used to store the HTTP response body and to let the server define the name, via the response headers. However, the tool accepts colon in filenames. On MS-Windows platform, such paths are special and in this case, the tool may be make write the response body at an unexpected place, inclusively in another drive than the current one.

An attacker who controls an HTTP server requested by a curl client can therefore create of change files by sending filename with colon, in order for example to change an executable file.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2016-0755

cURL: privilege escalation via the use of proxy using NTLM authentication

Synthesis of the vulnerability

An attacker can use cURL with an HTTP proxy and NTLM authentication with the proxy account of another user, in order to escalate his privileges.
Impacted products: SDS, SES, SNS, OpenOffice, Mac OS X, Brocade Network Advisor, Brocade vTM, curl, Debian, Fedora, Juniper EX-Series, Junos OS, SRX-Series, openSUSE, openSUSE Leap, Solaris, Slackware, Ubuntu.
Severity: 1/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: user shell.
Creation date: 27/01/2016.
Identifiers: BSA-2016-004, cpuoct2018, CVE-2016-0755, DSA-3455-1, FEDORA-2016-3fa315a5dd, FEDORA-2016-55137a3adb, FEDORA-2016-57bebab3b6, FEDORA-2016-5a141de5d9, HT207170, JSA10874, openSUSE-SU-2016:0360-1, openSUSE-SU-2016:0373-1, openSUSE-SU-2016:0376-1, SSA:2016-039-01, STORM-2019-002, USN-2882-1, VIGILANCE-VUL-18826.

Description of the vulnerability

The cURL product includes an embedable HTTP client. It can use HTTP proxies.

When a proxy requires an NTLM authentication, this authentication is connection based (in contrast to HTTP based authentication which is request based). Typically, cURL reuses TCP connections to the proxy for several HTTP requests. However, cURL may do so even if different credentials for the proxy have been specified at request level.

An attacker can therefore use cURL with an HTTP proxy and NTLM authentication with the proxy account of another user, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2015-3195

OpenSSL: information disclosure via X509_ATTRIBUTE

Synthesis of the vulnerability

An attacker can read a memory fragment via X509_ATTRIBUTE of OpenSSL processing PKCS#7 or CMS data, in order to obtain sensitive information.
Impacted products: OpenOffice, Tomcat, ProxyAV, ProxySG par Blue Coat, SGOS by Blue Coat, FabricOS, Brocade Network Advisor, Brocade vTM, Cisco ASR, Cisco ATA, Cisco AnyConnect Secure Mobility Client, ASA, AsyncOS, Cisco Content SMA, Cisco ESA, Nexus by Cisco, NX-OS, Cisco Prime Access Registrar, Prime Collaboration Assurance, Cisco Prime DCNM, Prime Infrastructure, Cisco PRSM, Secure ACS, Cisco CUCM, Cisco MeetingPlace, Cisco WSA, Cisco Wireless Controller, Debian, BIG-IP Hardware, TMOS, Fedora, FortiAnalyzer, FortiAnalyzer Virtual Appliance, FortiClient, FortiGate, FortiGate Virtual Appliance, FortiManager, FortiManager Virtual Appliance, FortiOS, FreeBSD, HP Switch, AIX, IRAD, QRadar SIEM, Tivoli Storage Manager, IVE OS, Juniper J-Series, Junos OS, Junos Space, MAG Series by Juniper, NSM Central Manager, NSMXpress, Juniper SA, Juniper SBR, MariaDB ~ precise, McAfee Email Gateway, MySQL Enterprise, Data ONTAP, NetScreen Firewall, ScreenOS, OpenBSD, OpenSSL, openSUSE, openSUSE Leap, Oracle Communications, Solaris, Palo Alto Firewall PA***, PAN-OS, pfSense, Pulse Connect Secure, MAG Series by Pulse Secure, Pulse Secure SBR, Puppet, RHEL, JBoss EAP by Red Hat, Slackware, stunnel, SUSE Linux Enterprise Desktop, SLES, Synology DS***, Synology RS***, Ubuntu, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Consequences: data reading.
Provenance: user shell.
Creation date: 03/12/2015.
Identifiers: 1972951, 1976113, 1976148, 1985739, 2003480, 2003620, 2003673, 9010051, BSA-2016-006, bulletinjan2016, c05398322, CERTFR-2015-AVI-517, CERTFR-2016-AVI-128, cisco-sa-20151204-openssl, cpuapr2017, cpuoct2016, cpuoct2017, CVE-2015-3195, DSA-3413-1, FEDORA-2015-605de37b7f, FEDORA-2015-d87d60b9a9, FreeBSD-SA-15:26.openssl, HPESBHF03709, JSA10733, JSA10759, NTAP-20151207-0001, openSUSE-SU-2015:2288-1, openSUSE-SU-2015:2289-1, openSUSE-SU-2015:2318-1, openSUSE-SU-2015:2349-1, openSUSE-SU-2016:0637-1, openSUSE-SU-2016:0640-1, openSUSE-SU-2016:1327-1, PAN-SA-2016-0020, PAN-SA-2016-0028, RHSA-2015:2616-01, RHSA-2015:2617-01, RHSA-2016:2054-01, RHSA-2016:2055-01, RHSA-2016:2056-01, SA105, SA40100, SB10203, SOL12824341, SOL30714460, SOL55540723, SOL86772626, SSA:2015-349-04, SUSE-SU-2016:0678-1, USN-2830-1, VIGILANCE-VUL-18436.

Description of the vulnerability

The OpenSSL library supports the PKCS#7 and CMS formats.

However, if an X509_ATTRIBUTE structure is malformed, OpenSSL does not initialize a memory area before returning it to the user reading PKCS#7 or CMS data.

It can be noted that SSL/TLS is not impacted.

An attacker can therefore read a memory fragment via X509_ATTRIBUTE of OpenSSL processing PKCS#7 or CMS data, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2015-4551 CVE-2015-5212 CVE-2015-5213

LibreOffice, OpenOffice: four vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities were announced in LibreOffice/OpenOffice.
Impacted products: OpenOffice, Debian, LibreOffice, openSUSE, RHEL, Ubuntu.
Severity: 3/4.
Consequences: user access/rights, data reading, denial of service on client.
Provenance: document.
Number of vulnerabilities in this bulletin: 4.
Creation date: 05/11/2015.
Identifiers: CERTFR-2015-AVI-463, CVE-2015-4551, CVE-2015-5212, CVE-2015-5213, CVE-2015-5214, DSA-3394-1, openSUSE-SU-2016:0588-1, RHSA-2015:2619-01, USN-2793-1, VIGILANCE-VUL-18254.

Description of the vulnerability

Several vulnerabilities were announced in LibreOffice/OpenOffice.

An OpenDocument document can access to other files on victim's computer. [severity:2/4; CVE-2015-4551]

An attacker can generate a buffer overflow in Printer in an ODF document, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2015-5212]

An attacker can generate a buffer overflow in Piecetable in a DOC document, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2015-5213]

An attacker can generate a buffer overflow in Bookmarks in a DOC document, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2015-5214]
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2015-2059

libidn, curl: information disclosure

Synthesis of the vulnerability

An attacker can retrieve a memory fragment from a process using libcurl, in order to get sensitive information.
Impacted products: OpenOffice, curl, Debian, Fedora, openSUSE, openSUSE Leap, Ubuntu.
Severity: 1/4.
Consequences: data reading.
Provenance: user account.
Creation date: 02/07/2015.
Revision date: 07/07/2015.
Identifiers: CVE-2015-2059, DLA-476-1, DSA-3578-1, FEDORA-2015-11562, FEDORA-2015-11621, openSUSE-SU-2015:1261-1, openSUSE-SU-2016:2135-1, openSUSE-SU-2016:2277-1, USN-3068-1, VIGILANCE-VUL-17294.

Description of the vulnerability

The URLs passed to libcurl functions may include non US-ASCII characters.

The handling of non US-ASCII characters in domain names is delegated to the libidn library. However, some functions from this library do not check whether the passed byte sequences are valid UTF-8 encoding. In the invalid case, the functions may include in the conversion output the content of the memory following the input buffer that should be an UTF-8 byte string. The result will be sent to a DNS server.

An attacker can therefore retrieve a memory fragment from a process using libcurl, in order to get sensitive information.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Oracle OpenOffice.org: