Executive Summary
Summary | |
---|---|
Title | libreoffice security, bug fix, and enhancement update |
Informations | |||
---|---|---|---|
Name | RHSA-2015:0377 | First vendor Publication | 2015-03-05 |
Vendor | RedHat | Last vendor Modification | 2015-03-05 |
Severity (Vendor) | Moderate | Revision | 01 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C) | |||
---|---|---|---|
Cvss Base Score | 10 | Attack Range | Network |
Cvss Impact Score | 10 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Problem Description: Updated libreoffice packages that fix three security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - noarch, x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - noarch, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - noarch, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - noarch, x86_64 3. Description: LibreOffice is an open source, community-developed office productivity suite. It includes key desktop applications, such as a word processor, a spreadsheet, a presentation manager, a formula editor, and a drawing program. LibreOffice replaces OpenOffice and provides a similar but enhanced and extended office suite. It was found that LibreOffice documents executed macros unconditionally, without user approval, when these documents were opened using LibreOffice. An attacker could use this flaw to execute arbitrary code as the user running LibreOffice by embedding malicious VBA scripts in the document as macros. (CVE-2014-0247) A flaw was found in the OLE (Object Linking and Embedding) generation in LibreOffice. An attacker could use this flaw to embed malicious OLE code in a LibreOffice document, allowing for arbitrary code execution. (CVE-2014-3575) A use-after-free flaw was found in the "Remote Control" capabilities of the LibreOffice Impress application. An attacker could use this flaw to remotely execute code with the permissions of the user running LibreOffice Impress. (CVE-2014-3693) The libreoffice packages have been upgraded to upstream version 4.2.6.3, which provides a number of bug fixes and enhancements over the previous version. Among others: * Improved OpenXML interoperability. * Additional statistic functions in Calc (for interoperability with Excel and Excel's Add-in "Analysis ToolPak"). * Various performance improvements in Calc. * Apple Keynote and Abiword import. * Improved MathML export. * New Start screen with thumbnails of recently opened documents. * Visual clue in Slide Sorter when a slide has a transition or an animation. * Improvements for trend lines in charts. * Support for BCP-47 language tags. (BZ#1119709) All libreoffice users are advised to upgrade to these updated packages, which correct these issues and add these enhancements. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1065807 - [fix available] Usability - libreoffice does not search XDG defined "Templates" directory 1096295 - [fix available] Highlighting the currently selected slide vs the currently viewed slide is hard in impress 1111083 - CVE-2014-0247 libreoffice: VBA macros executed unconditionally 1111216 - [fix available] LibreOffice Calc: PDF export of an empty document fails with Write Error 1117853 - [fix available] impress killed by SIGABRT on paste into outline view at a position where the slide has no title object 1119709 - Rebase to latest stable LibreOffice 4.2.X in RHEL-7.1 1132065 - rebase libcmis to 0.4.1 1132069 - rebase mdds to 0.10.3 1132070 - rebase libmwaw to 0.2.0 1132072 - rebase libodfgen to 0.0.4 1132077 - rebase liblangtag to 0.5.4 1138882 - CVE-2014-3575 openoffice: Arbitrary file disclosure via crafted OLE objects 1164733 - CVE-2014-3693 libreoffice: Use-After-Free in socket manager of Impress Remote |
Original Source
Url : https://rhn.redhat.com/errata/RHSA-2015-0377.html |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-200 | Information Exposure |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:25102 | |||
Oval ID: | oval:org.mitre.oval:def:25102 | ||
Title: | USN-2253-1 -- libreoffice vulnerability | ||
Description: | LibreOffice would unconditionally execute certain VBA macros. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-2253-1 CVE-2014-0247 | Version: | 3 |
Platform(s): | Ubuntu 14.04 | Product(s): | libreoffice |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:27595 | |||
Oval ID: | oval:org.mitre.oval:def:27595 | ||
Title: | USN-2398-1 -- LibreOffice vulnerability | ||
Description: | It was discovered that LibreOffice incorrectly handled the Impress remote control port. An attacker could possibly use this issue to cause Impress to crash, resulting in a denial of service, or possibly execute arbitrary code. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-2398-1 CVE-2014-3693 | Version: | 5 |
Platform(s): | Ubuntu 14.10 Ubuntu 14.04 | Product(s): | libreoffice |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:27913 | |||
Oval ID: | oval:org.mitre.oval:def:27913 | ||
Title: | USN-2400-1 -- LibreOffice vulnerability | ||
Description: | It was discovered that LibreOffice incorrectly handled OLE preview generation. If a user were tricked into opening a crafted document, an attacker could possibly exploit this to embed arbitrary data into documents. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-2400-1 CVE-2014-3575 | Version: | 3 |
Platform(s): | Ubuntu 12.04 | Product(s): | libreoffice |
Definition Synopsis: | |||
CPE : Common Platform Enumeration
Information Assurance Vulnerability Management (IAVM)
Date | Description |
---|---|
2014-08-28 | IAVM : 2014-B-0117 - Multiple Vulnerabilities in Apache OpenOffice Severity : Category II - VMSKEY : V0054059 |
Snort® IPS/IDS
Date | Description |
---|---|
2015-08-18 | LibreOffice Impress socket manager Use After Free attempt RuleID : 35253 - Revision : 3 - Type : SERVER-OTHER |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2016-10-12 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_ab947396901811e6a59014dae9d210b8.nasl - Type : ACT_GATHER_INFO |
2016-03-10 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201603-05.nasl - Type : ACT_GATHER_INFO |
2016-02-29 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2016-273.nasl - Type : ACT_GATHER_INFO |
2015-03-26 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20150305_libreoffice_on_SL7_x.nasl - Type : ACT_GATHER_INFO |
2015-03-18 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2015-0377.nasl - Type : ACT_GATHER_INFO |
2015-03-13 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2015-0377.nasl - Type : ACT_GATHER_INFO |
2015-03-05 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2015-0377.nasl - Type : ACT_GATHER_INFO |
2014-12-17 | Name : The remote host contains an application that is affected by a use-after-free ... File : libreoffice_433.nasl - Type : ACT_GATHER_INFO |
2014-12-17 | Name : The remote host contains an application that is affected by multiple vulnerab... File : libreoffice_431.nasl - Type : ACT_GATHER_INFO |
2014-12-17 | Name : The remote host contains an application that is affected by a use-after-free ... File : libreoffice_427.nasl - Type : ACT_GATHER_INFO |
2014-12-17 | Name : The remote host contains an application that is affected by multiple vulnerab... File : libreoffice_4263.nasl - Type : ACT_GATHER_INFO |
2014-12-03 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_libreoffice-2014-11-19-141120.nasl - Type : ACT_GATHER_INFO |
2014-11-19 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2014-682.nasl - Type : ACT_GATHER_INFO |
2014-11-17 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2014-661.nasl - Type : ACT_GATHER_INFO |
2014-11-11 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-2400-1.nasl - Type : ACT_GATHER_INFO |
2014-11-06 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-2398-1.nasl - Type : ACT_GATHER_INFO |
2014-09-16 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2014-540.nasl - Type : ACT_GATHER_INFO |
2014-09-15 | Name : The remote Fedora host is missing a security update. File : fedora_2014-10732.nasl - Type : ACT_GATHER_INFO |
2014-09-12 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_libreoffice-201409-140902.nasl - Type : ACT_GATHER_INFO |
2014-09-01 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201408-19.nasl - Type : ACT_GATHER_INFO |
2014-08-27 | Name : The remote Windows host has an application installed that is affected by mult... File : openoffice_411.nasl - Type : ACT_GATHER_INFO |
2014-07-18 | Name : The remote host contains an application that is affected by a vulnerability t... File : macosx_libreoffice_425.nasl - Type : ACT_GATHER_INFO |
2014-07-18 | Name : The remote host contains an application that is affected by a vulnerability t... File : libreoffice_425.nasl - Type : ACT_GATHER_INFO |
2014-07-03 | Name : The remote Fedora host is missing a security update. File : fedora_2014-7679.nasl - Type : ACT_GATHER_INFO |
2014-07-02 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2014-446.nasl - Type : ACT_GATHER_INFO |
2014-06-24 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-2253-1.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2015-12-05 13:27:50 |
|
2015-03-19 13:28:28 |
|
2015-03-06 13:26:04 |
|
2015-03-05 21:22:38 |
|