content/security/cves/CVE-2022-37400.html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
    <title>CVE-2022-37400</title>
  </head>

  <body>
    <p>
      <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-37400">CVE-2022-37400</a>
    </p>
    <p>
      <a href="https://www.openoffice.org/security/cves/CVE-2022-37400.html">Apache OpenOffice Advisory</a>
    </p>
    <p style="text-align:center; font-size:largest">
      <strong>Static Initialization Vector Allows to Recover Passwords for Web Connections Without Knowing
      the Master Password</strong>
    </p>
    <p style="text-align:center; font-size:larger">
      <strong>Fixed in Apache OpenOffice 4.1.13</strong>
    </p>
    <p>
      <strong>Description</strong>
    </p>
    <p>
     Apache OpenOffice supports the storage of passwords for web connections in the user's configuration
     database. The stored passwords are encrypted with a single master key provided by the user. A flaw in
     OpenOffice existed where the required initialization vector for encryption was always the same which
     weakens the security of the encryption making them vulnerable if an attacker has access to the user's
     configuration data.
    </p>
    <p>
      <strong>Severity: Moderate</strong>
    </p>
    <p>
      There are no known exploits of this vulnerability.
      <br />
      A proof-of-concept demonstration exists.
    </p>
    <p>
      Thanks to the reporter for discovering this issue.
    </p>
    <p>
      <strong>Vendor: The Apache Software Foundation</strong>
    </p>
    <p>
      <strong>Versions Affected</strong>
    </p>
    <p>
      All Apache OpenOffice versions 4.1.12 and older are affected.
      <br />
      OpenOffice.org versions may also be affected.
    </p>
    <p>
      <strong>Mitigation</strong>
    </p>
    <p>
      Install Apache OpenOffice 4.1.13 for the latest maintenance and cumulative security fixes.
      Use the Apache OpenOffice <a href="https://www.openoffice.org/download/"> download page</a>.
    </p>
    <p>
      <strong>Acknowledgments</strong>
    </p>
    <p>
      The Apache OpenOffice Security Team would like to thank Selma Jabour, OpenSource Security GmbH,
      Germany on behalf of the German Federal Office for Information Security, for discovering and
      reporting this attack vector
    </p>
    <p>
      <strong>Further Information</strong>
    </p>
    <p>
      For additional information and assistance, consult the
      <a href="https://forum.openoffice.org/">Apache OpenOffice Community Forums</a>
      or make requests to the
      <a href="mailto:users@openoffice.apache.org">users@openoffice.apache.org</a>
      public mailing list.
    </p>
    <p>
      The latest information on Apache OpenOffice security bulletins can be found at the
      <a href="https://www.openoffice.org/security/bulletin.html">Bulletin Archive page</a>.
    </p>
    <hr />
    <p>
      <a href="https://security.openoffice.org">Security Home</a>-&gt;
      <a href="https://www.openoffice.org/security/bulletin.html">Bulletin</a>-&gt;
      <a href="https://www.openoffice.org/security/cves/CVE-2022-37400.html">CVE-2022-37400</a>
    </p>
  </body>
</html>