CVE-2014-3574: XEE
First published: Mon Aug 18 2014(Updated: )
Apache POI before 3.10.1 and 3.11.x before 3.11-beta2 allows remote attackers to cause a denial of service (CPU consumption and crash) via a crafted OOXML file, aka an XML Entity Expansion (XEE) attack.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/apache-poi-ooxml | <3.10.1 | 3.10.1 |
| redhat/apache-poi-ooxml | <3.11 | 3.11 |
| Apache POI | <=3.10 | |
| Apache POI | =0.1 | |
| Apache POI | =0.2 | |
| Apache POI | =0.3 | |
| Apache POI | =0.4 | |
| Apache POI | =0.5 | |
| Apache POI | =0.6 | |
| Apache POI | =0.7 | |
| Apache POI | =0.10.0 | |
| Apache POI | =0.11.0 | |
| Apache POI | =0.12.0 | |
| Apache POI | =0.13.0 | |
| Apache POI | =0.14.0 | |
| Apache POI | =1.0.0 | |
| Apache POI | =1.0.1 | |
| Apache POI | =1.0.2 | |
| Apache POI | =1.1.0 | |
| Apache POI | =1.2.0 | |
| Apache POI | =1.5 | |
| Apache POI | =1.5.1 | |
| Apache POI | =1.7-dev | |
| Apache POI | =1.8-dev | |
| Apache POI | =1.10-dev | |
| Apache POI | =2.0 | |
| Apache POI | =2.0-pre1 | |
| Apache POI | =2.0-pre2 | |
| Apache POI | =2.0-pre3 | |
| Apache POI | =2.0-rc1 | |
| Apache POI | =2.0-rc2 | |
| Apache POI | =2.5 | |
| Apache POI | =2.5.1 | |
| Apache POI | =3.0 | |
| Apache POI | =3.0-alpha1 | |
| Apache POI | =3.0-alpha2 | |
| Apache POI | =3.0-alpha3 | |
| Apache POI | =3.0.1 | |
| Apache POI | =3.0.2 | |
| Apache POI | =3.0.2-beta1 | |
| Apache POI | =3.0.2-beta2 | |
| Apache POI | =3.1 | |
| Apache POI | =3.1-beta1 | |
| Apache POI | =3.1-beta2 | |
| Apache POI | =3.2 | |
| Apache POI | =3.5 | |
| Apache POI | =3.5-beta1 | |
| Apache POI | =3.5-beta2 | |
| Apache POI | =3.5-beta3 | |
| Apache POI | =3.5-beta4 | |
| Apache POI | =3.5-beta5 | |
| Apache POI | =3.5-beta6 | |
| Apache POI | =3.6 | |
| Apache POI | =3.7 | |
| Apache POI | =3.7-beta1 | |
| Apache POI | =3.7-beta2 | |
| Apache POI | =3.7-beta3 | |
| Apache POI | =3.8 | |
| Apache POI | =3.8-beta1 | |
| Apache POI | =3.8-beta2 | |
| Apache POI | =3.8-beta3 | |
| Apache POI | =3.8-beta4 | |
| Apache POI | =3.8-beta5 | |
| Apache POI | =3.9 | |
| Apache POI | =3.10-beta1 | |
| Apache POI | =3.10-beta2 | |
| Apache POI | =3.11-beta1 | |
| maven/org.apache.poi:poi | =3.11-beta1 | 3.11-beta2 |
| maven/org.apache.poi:poi | <3.10.1 | 3.10.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2014-3574 https://nvd.nist.gov/vuln/detail/CVE-2014-3574
- https://bugzilla.redhat.com/show_bug.cgi?id=1138140
- https://access.redhat.com/errata/RHSA-2014:1399
- https://access.redhat.com/errata/RHSA-2014:1400
- https://access.redhat.com/errata/RHSA-2014:1398
- https://access.redhat.com/errata/RHSA-2014:1370
- https://access.redhat.com/errata/RHSA-2015:1009
- https://access.redhat.com/security/cve/CVE-2014-3574
- http://www.apache.org/dist/poi/release/RELEASE-NOTES.txt
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1138152
- https://issues.apache.org/bugzilla/show_bug.cgi?id=54764
- http://svn.apache.org/viewvc?view=revision&revision=1615720
- http://svn.apache.org/viewvc?view=revision&revision=1615731
- http://svn.apache.org/viewvc?view=revision&revision=1615781
- https://github.com/victims/victims-cve-db/blob/master/database/java/2014/3574.yaml
- https://rhn.redhat.com/errata/RHSA-2014-1370.html
- https://rhn.redhat.com/errata/RHSA-2014-1400.html
- https://rhn.redhat.com/errata/RHSA-2014-1399.html
- https://rhn.redhat.com/errata/RHSA-2014-1398.html
- https://rhn.redhat.com/errata/RHSA-2015-1009.html
- http://poi.apache.org/changes.html
- http://rhn.redhat.com/errata/RHSA-2014-1370.html
- http://rhn.redhat.com/errata/RHSA-2014-1398.html
- http://rhn.redhat.com/errata/RHSA-2014-1399.html
- http://rhn.redhat.com/errata/RHSA-2014-1400.html
- http://secunia.com/advisories/59943
- http://secunia.com/advisories/60419
- http://secunia.com/advisories/61766
- http://www-01.ibm.com/support/docview.wss?uid=swg21996759
- http://www.securityfocus.com/bid/69648
- https://exchange.xforce.ibmcloud.com/vulnerabilities/95768
- https://lucene.apache.org/solr/solrnews.html#18-august-2014-recommendation-to-update-apache-poi-in-apache-solr-480-481-and-490-installations
- https://nvd.nist.gov/vuln/detail/CVE-2014-3574
- https://svn.apache.org/repos/asf/poi/branches/REL_3_10_BRANCH@1616509
- https://svn.apache.org/repos/asf/poi/trunk@1615720
- https://svn.apache.org/repos/asf/poi/trunk@1615731
- https://svn.apache.org/repos/asf/poi/trunk@1615781
- https://github.com/advisories/GHSA-5wfp-8643-c58x (Advisory)
Parent vulnerabilities
(Appears in the following advisories)
- collector/redhat-cve
- collector/nvd-index
- agent/type
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-5wfp-8643-c58x
- alias/CVE-2014-3574
- agent/software-canonical-lookup
- agent/severity
- agent/remedy
- agent/references
- agent/weakness
- agent/author
- agent/description
- collector/nvd-cve
- source/NVD
- agent/softwarecombine
- collector/github-advisory
- collector/redhat-bugzilla
- source/Red Hat
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/trending
- agent/tags
- agent/source
- vendor/apache
- canonical/apache poi
- version/apache poi/3.10
- version/apache poi/0.1
- version/apache poi/0.2
- version/apache poi/0.3
- version/apache poi/0.4
- version/apache poi/0.5
- version/apache poi/0.6
- version/apache poi/0.7
- version/apache poi/0.10.0
- version/apache poi/0.11.0
- version/apache poi/0.12.0
- version/apache poi/0.13.0
- version/apache poi/0.14.0
- version/apache poi/1.0.0
- version/apache poi/1.0.1
- version/apache poi/1.0.2
- version/apache poi/1.1.0
- version/apache poi/1.2.0
- version/apache poi/1.5
- version/apache poi/1.5.1
- version/apache poi/1.7-dev
- version/apache poi/1.8-dev
- version/apache poi/1.10-dev
- version/apache poi/2.0
- version/apache poi/2.0-pre1
- version/apache poi/2.0-pre2
- version/apache poi/2.0-pre3
- version/apache poi/2.0-rc1
- version/apache poi/2.0-rc2
- version/apache poi/2.5
- version/apache poi/2.5.1
- version/apache poi/3.0
- version/apache poi/3.0-alpha1
- version/apache poi/3.0-alpha2
- version/apache poi/3.0-alpha3
- version/apache poi/3.0.1
- version/apache poi/3.0.2
- version/apache poi/3.0.2-beta1
- version/apache poi/3.0.2-beta2
- version/apache poi/3.1
- version/apache poi/3.1-beta1
- version/apache poi/3.1-beta2
- version/apache poi/3.2
- version/apache poi/3.5
- version/apache poi/3.5-beta1
- version/apache poi/3.5-beta2
- version/apache poi/3.5-beta3
- version/apache poi/3.5-beta4
- version/apache poi/3.5-beta5
- version/apache poi/3.5-beta6
- version/apache poi/3.6
- version/apache poi/3.7
- version/apache poi/3.7-beta1
- version/apache poi/3.7-beta2
- version/apache poi/3.7-beta3
- version/apache poi/3.8
- version/apache poi/3.8-beta1
- version/apache poi/3.8-beta2
- version/apache poi/3.8-beta3
- version/apache poi/3.8-beta4
- version/apache poi/3.8-beta5
- version/apache poi/3.9
- version/apache poi/3.10-beta1
- version/apache poi/3.10-beta2
- version/apache poi/3.11-beta1
- package-manager/maven
- package-manager/redhat