| <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> |
| <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> |
| <head> |
| <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> |
| <title>CVE-2021-41832</title> |
| </head> |
| |
| <body> |
| <p> |
| <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-41832">CVE-2021-41832</a> |
| </p> |
| <p> |
| <a href="https://www.openoffice.org/security/cves/CVE-2021-41832.html">Apache OpenOffice Advisory</a> |
| </p> |
| <p style="text-align:center; font-size:largest"> |
| <strong>#4 Content Manipulation with Certificate Validation Attack</strong> |
| </p> |
| <p style="text-align:center; font-size:larger"> |
| <strong>Fixed in Apache OpenOffice 4.1.11</strong> |
| </p> |
| <p> |
| <strong>Description</strong> |
| </p> |
| <p> |
| It is possible for an attacker to manipulate documents to appear to be signed by a trusted source. |
| <br /> |
| An attacker can use the vulnerability to convert an untrusted digital signature into trusted ones |
| and change the content of the ODF document without invalidating the signature. |
| </p> |
| <p> |
| <strong>Severity: Moderate</strong> |
| </p> |
| <p> |
| There are no known exploits of this vulnerability. |
| <br /> |
| A proof-of-concept demonstration exists. |
| </p> |
| <p> |
| Thanks to the reporter for discovering this issue. |
| </p> |
| <p> |
| <strong>Vendor: The Apache Software Foundation</strong> |
| </p> |
| <p> |
| <strong>Versions Affected</strong> |
| </p> |
| <p> |
| All Apache OpenOffice versions 4.1.10 and older are affected. |
| <br /> |
| OpenOffice.org versions may also be affected. |
| </p> |
| <p> |
| <strong>Mitigation</strong> |
| </p> |
| <p> |
| Install Apache OpenOffice 4.1.11 for the latest maintenance and cumulative security fixes. |
| Use the Apache OpenOffice <a href="https://www.openoffice.org/download/"> download page</a>. |
| </p> |
| <p> |
| <strong>Acknowledgments</strong> |
| </p> |
| <p> |
| The Apache OpenOffice Security Team would like to thank Simon Rohlmann, Vladislav Mladenov, |
| Christian Mainka and Jörg Schwenk, Ruhr University Bochum, Germany, for discovering and reporting this |
| attack vector. |
| </p> |
| <p> |
| <strong>Further Information</strong> |
| </p> |
| <p> |
| This issue was also reported to LibreOffice with CVE-2021-25635. |
| </p> |
| <p> |
| For additional information and assistance, consult the |
| <a href="https://forum.openoffice.org/">Apache OpenOffice Community Forums</a> |
| or make requests to the |
| <a href="mailto:users@openoffice.apache.org">users@openoffice.apache.org</a> |
| public mailing list. |
| </p> |
| <p> |
| The latest information on Apache OpenOffice security bulletins can be found at the |
| <a href="https://www.openoffice.org/security/bulletin.html">Bulletin Archive page</a>. |
| </p> |
| <hr /> |
| <p> |
| <a href="https://security.openoffice.org">Security Home</a>-> |
| <a href="https://www.openoffice.org/security/bulletin.html">Bulletin</a>-> |
| <a href="https://www.openoffice.org/security/cves/CVE-2021-41832.html">CVE-2021-41832</a> |
| </p> |
| </body> |
| </html> |