CVE-2014-3574 — Improper Input Validation in Apache POI

Description

Apache POI before 3.10.1 and 3.11.x before 3.11-beta2 allows remote attackers to cause a denial of service (CPU consumption and crash) via a crafted OOXML file, aka an XML Entity Expansion (XEE) attack.

How to fix CVE-2014-3574

To remediate CVE-2014-3574, upgrade the affected package to a fixed version below.

Debian/libapache-poi-java—upgrade to 3.10.1-1 or later
Maven/org.apache.poi:poi—upgrade to 3.10.1 or later

Is CVE-2014-3574 being exploited?

Moderate — EPSS is 12.6%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (2)

from 0, < 3.10.1-1
from 0, < 3.10.1

References (16)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2014-3574
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2014-3574
PATCHgithub.com/apache/poi
WEBpoi.apache.org/changes.html
WEBrhn.redhat.com/errata/RHSA-2014-1370.html