CVE-2013-1571
Frame Injection Vulnerability in SDK JavaDoc
- Apache OpenOffice 3.4.1 SDK, on all platforms.
- Earlier versions may be also affected.
Severity: Medium
Vendor: The Apache Software Foundation
Versions Affected:
Description:
As reported on June 18th there is a vulnerability in JavaDoc generated by Java 5, Java 6 and Java 7 before update 22. Generated JavaDoc files could be suceptible to HTML frame injection attacks. Our investigation indicated that the UDK 3.2.7 Java API Reference in the Apache OpenOffice SDK contains a vulnerable HTML file.
Note: Ordinary installs of OpenOffice are not impacted by this vulnerability. Only installs of the OpenOffice SDK, typically only installed by software developers writing extensions, are impacted
Mitigation
SDK users should update their installations by replacing /docs/java/ref/index.html with this patched version. Download, unzip and follow the instructions in the enclosed README file.
Users with earlier versions of the SDK (pre 3.4.1) should upgrade to the current version and then apply the patch. Alternative, they can download and run Oracle's Java API Documentation Updater Tool to repair the vulnerabilities in place.
Verifying the Integrity of Downloaded Files
We have provided MD5 and SHA256 hashes of these patches, as well as a GPG/PGP detached digital signature, for those who wish to verify the integrity of this file.
The MD5 and SHA256 hashes can be verified using Unix tools like md5sum or sha256sum.
The PGP signatures can be verified using PGP or GPG. First download the KEYS file, as well as the asc signature file for the particular patch from above. Make sure you get these files from the main distribution directory, rather than from a mirror. Then verify the signatures as follows:
% pgpk -a KEYS
or
% pgpv cve-2013-1571.zip.asc
% pgp -ka KEYS
or
% pgp cve-2013-1571.zip.asc
% gpg --import KEYS
% gpg --verify cve-2013-1571.zip.asc
