| <!DOCTYPE html> |
| <html> |
| <head> |
| <title>CVE-2019-9853</title> |
| <style type="text/css"></style> |
| </head> |
| |
| <body> |
| <p> |
| <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-9853"> |
| CVE-2019-9853 |
| </a> |
| </p> |
| <p> |
| <a href="https://www.openoffice.org/security/cves/CVE-2019-9853.html"> |
| Apache OpenOffice Advisory |
| </a> |
| </p> |
| <p style="text-align:center; font-size:larger"> |
| <strong> |
| CVE-2019-9853 Insufficient URL decoding flaw in categorizing macro location |
| </strong> |
| </p> |
| <p style="text-align:center; font-size:larger"> |
| <strong> |
| Fixed in Apache OpenOffice 4.1.7 |
| </strong> |
| </p> |
| <p> |
| <strong> |
| Description |
| </strong> |
| </p> |
| <p> |
| OpenOffice documents can contain macros. The execution of those macros is controlled by the document security settings, |
| typically execution of macros are blocked by default. A URL decoding flaw existed in how the URLs to the macros within |
| the document were processed and categorized, resulting in the possibility to construct a document where macro execution |
| bypassed the security settings. The documents were correctly detected as containing macros, and prompted the user to |
| their existence within the documents, but macros within the document were subsequently not controlled by the security |
| settings allowing arbitrary macro execution. |
| This issue affects: OpenOffice 4.1.6 and older versions. |
| </p> |
| <p> |
| <strong> |
| Severity: Medium |
| </strong> |
| </p> |
| <p> |
| There are no known exploits of this vulnerability. |
| <br /> |
| A proof-of-concept demonstration exists. |
| </p> |
| <p> |
| Thanks to the reporter for discovering this issue. |
| </p> |
| <p> |
| <strong> |
| Vendor: The Apache Software Foundation |
| </strong> |
| </p> |
| <p> |
| <strong> |
| Versions Affected |
| </strong> |
| </p> |
| <p> |
| All Apache OpenOffice versions 4.1.6 and older are affected. |
| <br /> |
| OpenOffice.org versions may also be affected. |
| </p> |
| <p> |
| <strong> |
| Mitigation |
| </strong> |
| </p> |
| <p> |
| Install Apache OpenOffice 4.1.7 for the latest maintenance and cumulative security fixes. Use the Apache OpenOffice |
| <a href="https://www.openoffice.org/download/"> |
| download page |
| </a>. |
| </p> |
| <p> |
| <strong> |
| Acknowledgments |
| </strong> |
| </p> |
| <p> |
| The Apache OpenOffice Security Team would like to thank |
| Nils Emmerich (ERNW Research GmbH) |
| for reporting the issue. |
| </p> |
| <p> |
| <strong> |
| Further Information |
| </strong> |
| </p> |
| <p> |
| For additional information and assistance, consult the |
| <a href="https://forum.openoffice.org/"> |
| Apache OpenOffice Community Forums |
| </a> |
| or make requests to the |
| <a href="mailto:users@openoffice.apache.org"> |
| users@openoffice.apache.org |
| </a> |
| public mailing list. |
| </p> |
| <p> |
| The latest information on Apache OpenOffice security bulletins can be found at the |
| <a href="https://www.openoffice.org/security/bulletin.html"> |
| Bulletin Archive page |
| </a>. |
| </p> |
| <hr /> |
| <p> |
| <a href="https://security.openoffice.org"> |
| Security Home |
| </a> |
| -> |
| <a href="https://www.openoffice.org/security/bulletin.html"> |
| Bulletin |
| </a> |
| -> |
| <a href="https://www.openoffice.org/security/cves/CVE-2019-9853.html"> |
| CVE-2019-9853 |
| </a> |
| </p> |
| </body> |
| </html> |
