CVE-2015-4551: TARGETED DATA DISCLOSURE
Fixed in Apache OpenOffice 4.1.2
Version 1.0
Announced November 4, 2015
A vulnerability in OpenOffice settings of OpenDocument Format files and templates allows silent access to files that are readable from an user account, over-riding the user's default configuration settings. Once these files are imported into a maliciously-crafted document, the data can be silently hidden in the document and possibly exported to an external party without being observed.
Severity: Important
There are no known exploits of this vulnerabilty.
A proof-of-concept demonstration exists.
Vendor: The Apache Software Foundation
Versions Affected
All Apache OpenOffice versions 4.1.1 and older are affected.
OpenOffice.org versions are also affected.
Related: CVE-2014-3575 and CVE-2012-0037
Mitigation
Apache OpenOffice users are urged to download and install Apache OpenOffice version 4.1.2 or later.
Apache OpenOffice 4.1.2 mitigates this vulnerability by ignoring in-document settings that over-ride default behavior when accessing data beyond the document itself. The automatic default behavior is changed to make such access evident to the user, who must then approve the access.
Nature of Attack
This vulnerability requires an exquisitely crafted attack to locate targeted files, silently retrieve them, and then deliver their data in a manner that escapes notice. Knowledge of the user's system and specific configuration is generally required.
Precautions
In addition to keeping Apache OpenOffice updated, users can reduce the threat of this kind of data access from ODF documents. Keep documents and sensitive materials separate from common, predictable locations, including on networks. Require additional access permissions for access to sensitive materials even when operating under the user's normal account.
Further Information
For additional information and assistance, consult the Apache OpenOffice Community Forums or make requests to the users@openoffice.apache.org public mailing list.
The latest information on Apache OpenOffice security bulletins can be found at the Bulletin Archive page.
Credits
The Apache OpenOffice security team thanks Federico "fox" Scrinzi for reporting the defect and Stephan Bergmann of Red Hat for analysis and a repair solution.