See Axel’s excellent blog post for many more details of this issue. We have also made available a Snort rule to detect the use of this API call on your network:
We can only recommend, if using OpenOffice or LibreOffice in server mode is absolutely necessary, to use a firewall (possibly host-based) to limit which systems can connect to the API, and to run it in a container using a low-priviliged user account. Apache assigns their own CVE numbers (they are a “CNA”, a “CVE Numbering Authority”, themselves), and they are not recognising this as a security issue. Unfortunately, after five months of trying, we have not been able to convince the Apache Security Team that this is, in fact, a security issue. Although examples tend to use port numbers just above 2000, there is no default port number, so scanning for this issue is not trivial.The “office server” mode is rarely used.Any user account used to launch OpenOffice or LibreOffice in office server mode can be compromised with relative ease. No authentication is required, only knowledge of the protocol.ĭetails (without Proof-of-Concept code for now) is available in Axel’s blog post.
The API contains a call named XSystemShellExecute which will execute an arbitrary command sent to it as a parameter.
0 kommentar(er)
