CVE-2014-3574
It was found that Apache POI would expand an unlimited number of entities in OOXML documents. A remote attacker able to supply OOXML documents that are parsed by Apache POI could use this flaw to trigger a denial of service attack via excessive CPU and memory consumption.
Find out more about CVE-2014-3574 from the MITRE CVE dictionary dictionary and NIST NVD.
Statement
Red Hat Product Security has determined that CVE-2014-3574 is not exploitable by default in JBoss Portal Platform as provided by Red Hat. This flaw would only be exploitable if the Apache POI library provided by JBoss Portal Platform were used by a custom application to process user-supplied XML documents.
CVSS v2 metrics
| Base Score | 5 |
|---|---|
| Base Metrics | AV:N/AC:L/Au:N/C:N/I:N/A:P |
| Access Vector | Network |
| Access Complexity | Low |
| Authentication | None |
| Confidentiality Impact | None |
| Integrity Impact | None |
| Availability Impact | Partial |
Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).
Red Hat Security Errata
| Platform | Errata | Release Date |
|---|---|---|
| Red Hat JBoss BRMS 6.0 | RHSA-2014:1400 | 2014-10-13 |
| Red Hat JBoss Data Virtualization 6.0 | RHSA-2014:1398 | 2014-10-13 |
| Red Hat JBoss Portal 6.2 | RHSA-2015:1009 | 2015-05-14 |
| Red Hat JBoss Fuse Service Works 6.0 | RHSA-2014:1370 | 2014-10-09 |
| Red Hat JBoss BPMS 6.0 | RHSA-2014:1399 | 2014-10-13 |
Affected Packages State
| Platform | Package | State |
|---|---|---|
| Red Hat Satellite 5.6 | apache-poi | Will not fix |
| Red Hat Satellite 5.5 | apache-poi | Will not fix |
| Red Hat Satellite 5.4 | apache-poi | Will not fix |
| Red Hat Satellite 5.3 | apache-poi | Will not fix |
| Red Hat JBoss Portal 5 | apache-poi | Will not fix |
| Red Hat JBoss Enterprise SOA Platform 4 | apache-poi | Will not fix |
| Red Hat JBoss BRMS 5 | apache-poi | Will not fix |
| RHEV Manager 3 | jasperreports-server-pro | Will not fix |