Remote Denial of Service in Apache POI Vulnerable to Crafted OOXML Files
CVE-2014-3574

Currently unrated

Key Information:

Vendor: Apache
Status: Poi
Vendor: CVE Published:; 4 September 2014

Summary

Remote attackers can exploit a vulnerability in Apache POI, allowing them to craft specially constructed OOXML files that lead to excessive CPU consumption and application crashes. This is primarily due to an XML Entity Expansion (XEE) attack, which can destabilize services relying on the affected versions of Apache POI.

References

http://www-01.ibm.com/support/docview.wss?uid=swg21996759

x_refsource_CONFIRM

http://www.securityfocus.com/bid/69648

vdb-entryx_refsource_BID

http://poi.apache.org/changes.html

x_refsource_CONFIRM

EPSS Score

11% chance of being exploited in the next 30 days.

Timeline

Vulnerability published
Sep 4, 2014
Vulnerability Reserved
May 14, 2014