content/security/cves/CVE-2021-41832.html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
    <title>CVE-2021-41832</title>
  </head>

  <body>
    <p>
      <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-41832">CVE-2021-41832</a>
    </p>
    <p>
      <a href="https://www.openoffice.org/security/cves/CVE-2021-41832.html">Apache OpenOffice Advisory</a>
    </p>
    <p style="text-align:center; font-size:largest">
      <strong>#4 Content Manipulation with Certificate Validation Attack</strong>
    </p>
    <p style="text-align:center; font-size:larger">
      <strong>Fixed in Apache OpenOffice 4.1.11</strong>
    </p>
    <p>
      <strong>Description</strong>
    </p>
    <p>
      It is possible for an attacker to manipulate documents to appear to be signed by a trusted source.
      <br />
      An attacker can use the vulnerability to convert an untrusted digital signature into trusted ones
      and change the content of the ODF document without invalidating the signature.
    </p>
    <p>
      <strong>Severity: Moderate</strong>
    </p>
    <p>
      There are no known exploits of this vulnerability.
      <br />
      A proof-of-concept demonstration exists.
    </p>
    <p>
      Thanks to the reporter for discovering this issue.
    </p>
    <p>
      <strong>Vendor: The Apache Software Foundation</strong>
    </p>
    <p>
      <strong>Versions Affected</strong>
    </p>
    <p>
      All Apache OpenOffice versions 4.1.10 and older are affected.
      <br />
      OpenOffice.org versions may also be affected.
    </p>
    <p>
      <strong>Mitigation</strong>
    </p>
    <p>
      Install Apache OpenOffice 4.1.11 for the latest maintenance and cumulative security fixes.
      Use the Apache OpenOffice <a href="https://www.openoffice.org/download/"> download page</a>.
    </p>
    <p>
      <strong>Acknowledgments</strong>
    </p>
    <p>
      The Apache OpenOffice Security Team would like to thank Simon Rohlmann, Vladislav Mladenov,
      Christian Mainka and Jörg Schwenk, Ruhr University Bochum, Germany, for discovering and reporting this
      attack vector.
    </p>
    <p>
      <strong>Further Information</strong>
    </p>
    <p>
      This issue was also reported to LibreOffice with CVE-2021-25635.
    </p>
    <p>
      For additional information and assistance, consult the
      <a href="https://forum.openoffice.org/">Apache OpenOffice Community Forums</a>
      or make requests to the
      <a href="mailto:users@openoffice.apache.org">users@openoffice.apache.org</a>
      public mailing list.
    </p>
    <p>
      The latest information on Apache OpenOffice security bulletins can be found at the
      <a href="https://www.openoffice.org/security/bulletin.html">Bulletin Archive page</a>.
    </p>
    <hr />
    <p>
      <a href="https://security.openoffice.org">Security Home</a>-&gt;
      <a href="https://www.openoffice.org/security/bulletin.html">Bulletin</a>-&gt;
      <a href="https://www.openoffice.org/security/cves/CVE-2021-41832.html">CVE-2021-41832</a>
    </p>
  </body>
</html>