Uploaded image for project: 'ManifoldCF'
  1. ManifoldCF
  2. CONNECTORS-1012

Upgrade Apache POI to correct multiple security issues

    XMLWordPrintableJSON

Details

    • Task
    • Status: Resolved
    • Blocker
    • Resolution: Fixed
    • ManifoldCF 1.7
    • ManifoldCF 1.7
    • Tika extractor
    • None

    Description

      = CVE-2014-3529: XML External Entity (XXE) problem in Apache POI's OpenXML parser =
      Type: Information disclosure
      Description: Apache POI uses Java's XML components to parse OpenXML files produced by Microsoft Office products (DOCX, XLSX, PPTX,...). Applications that accept such files from end-users are vulnerable to XML External Entity (XXE) attacks, which allows remote attackers to bypass security restrictions and read arbitrary files via a crafted OpenXML document that provides an XML external entity declaration in conjunction with an entity reference.

      = CVE-2014-3574: XML Entity Expansion (XEE) problem in Apache POI's OpenXML parser =
      Type: Denial of service
      Description: Apache POI uses Java's XML components and Apache Xmlbeans to parse OpenXML files produced by Microsoft Office products (DOCX, XLSX, PPTX,...). Applications that accept such files from end-users are vulnerable to XML Entity Expansion (XEE) attacks ("XML bombs"), which allows remote hackers to consume large amounts of CPU resources.

      The Apache POI PMC released a bugfix version (3.10.1) today.

      Here is the Lucene/Solr recommended course of action (which we will have to map to MCF):

      - Delete the following files in your "solr-4.X.X/contrib/extraction/lib" folder: 
	# poi-3.10-beta2.jar
	# poi-ooxml-3.10-beta2.jar
	# poi-ooxml-schemas-3.10-beta2.jar
	# poi-scratchpad-3.10-beta2.jar
	# xmlbeans-2.3.0.jar
- Copy the following files from the base folder of the Apache POI distribution to the "solr-4.X.X/contrib/extraction/lib" folder: 
	# poi-3.10.1-20140818.jar
	# poi-ooxml-3.10.1-20140818.jar
	# poi-ooxml-schemas-3.10.1-20140818.jar
	# poi-scratchpad-3.10.1-20140818.jar
- Copy "xmlbeans-2.6.0.jar" from POI's "ooxml-lib/" folder to the "solr-4.X.X/contrib/extraction/lib" folder.
- Verify that the "solr-4.X.X/contrib/extraction/lib" no longer contains any files with version number "3.10-beta2".

      I will research whether all of these jars exist in Maven at this time; if they do, we should fix this problem in MCF 1.7.

      Attachments

        Activity

          People

            kwright@metacarta.com Karl Wright
            kwright@metacarta.com Karl Wright
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: