A malicious document could lead to RCE in Apache OpenOffice (CVE-2021-33035)

2021-09-22 10:53

Apache OpenOffice, one of the most popular open-source office productivity software suites, sports a RCE vulnerability that could be triggered via a specially crafted document.

CVE-2021-33035 was discovered by researcher Eugene Lim via fuzzing and source code review of Apache OpenOffice.

"While Scalabium dBase viewer was run by a single developer and could be resolved almost immediately, Apache OpenOffice took much longer," he noted.

The Apache OpenOffice office has, over the years, been slow at pushing out fixes for security issues because it often found itself without development resources and release managers.

Last year the The Document Foundation - the developers of LibreOffice - published an open letter asking the Apache OpenOffice project to "Endorse" LibreOffice and made users aware of it.

"If Apache OpenOffice still wants to maintain its old 4.1 branch from 2014, sure, that's important for legacy users. But the most responsible thing to do in 2020 is: help new users. Make them aware that there's a much more modern, up-to-date, professionally supported suite, based on OpenOffice, with many extra features that people need."

News URL

http://feedproxy.google.com/~r/HelpNetSecurity/~3/z-ASOM9w9yo/

#apache #RCE #CVE-2021-33035

Related Vulnerability

DATE	CVE	VULNERABILITY TITLE	RISK
2021-09-23	CVE-2021-33035	Classic Buffer Overflow vulnerability in Apache Openoffice Apache OpenOffice opens dBase/DBF documents and shows the contents as spreadsheets. local low complexity apache CWE-120	7.8

Related vendor

VENDOR	LAST 12M	#/PRODUCTS	LOW	MEDIUM	HIGH	CRITICAL	TOTAL VULNS
Apache		295	58	844	630	289	1821
Openoffice		2	2	9	5	15	31