It was found that Apache POI would resolve entities in OOXML documents. A remote attacker able to supply OOXML documents that are parsed by Apache POI could use this flaw to read files accessible to the user running the application server, and potentially perform more advanced XML External Entity (XXE) attacks.
Find out more about CVE-2014-3529 from the MITRE CVE dictionary dictionary and NIST NVD.
Red Hat Product Security has determined that CVE-2014-3529 is not exploitable by default in JBoss Portal Platform as provided by Red Hat. This flaw would only be exploitable if the Apache POI library provided by JBoss Portal Platform were used by a custom application to process user-supplied XML documents.
NOTE: The following CVSS v2 metrics and score provided are preliminary and subject to review.
| Base Score | 5 |
|---|---|
| Base Metrics | AV:N/AC:L/Au:N/C:P/I:N/A:N |
| Access Vector | Network |
| Access Complexity | Low |
| Authentication | None |
| Confidentiality Impact | Partial |
| Integrity Impact | None |
| Availability Impact | None |
Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).
| Platform | Package | State |
|---|---|---|
| Red Hat JBoss Portal Platform 6 | apache-poi | Will not fix |
| Red Hat JBoss Portal 5 | apache-poi | Will not fix |
| Red Hat JBoss Fuse Service Works 6 | apache-poi | Will not fix |
| Red Hat JBoss Data Virtualization 6 | apache-poi | Will not fix |
| Red Hat JBoss BRMS 6 | apache-poi | Will not fix |
| Red Hat JBoss BRMS 5 | apache-poi | Will not fix |
| Red Hat JBoss BPMS 6 | apache-poi | Will not fix |
| RHEV Manager 3 | jasperreports-server-pro | Will not fix |
Vulmon