Security News > 2021 > September > Apache OpenOffice can be hijacked by malicious documents, fix still in beta

Apache OpenOffice is currently vulnerable to a remote code execution vulnerability and while the app's source code has been patched, the fix has only been made available as beta software and awaits an official release.

CVE-2021-33035: RCE in Apache OpenOffice up to 4.1.10 - pure memory corruption.

Lim in his post said that he wondered why this hadn't been caught and noticed that GitHub's LGTM automated security scan for open-source projects has Apache OpenOffice tagged for Python and JavaScript but not C++. "Browsing the files on LGTM, I noticed that there were no C++ files included," he observed.

With Apache OpenOffice, which has struggled to sustain itself in recent years, the initial disclosure occurred on May 4 and with any luck the fix will be finalized before the end of September.

"The Apache OpenOffice Project Management Committee are in regular communication with Eugene Lim, who has confirmed our fix and has committed to point users to the beta patch," said Dave Fisher, on behalf of the Apache OpenOffice PMC, in a statement emailed to The Register.

"We endeavor to roll the release for Apache OpenOffice 4.1.11 within the month, hopefully sooner, and publish the CVE-2021-33035 before the release."

News URL

https://go.theregister.com/feed/www.theregister.com/2021/09/20/apache_openoffice_rce/