CVE-2022-47502: RCE security vulnerability in Apache OpenOffice

CVE-2022-38745: An empty class path may lead to run arbitrary Java code

Description

CVE-2022-38745 is a moderate-severity vulnerability that affects Apache OpenOffice versions 4.1.13 and older. It arises when the software is configured to add an empty entry to the Java class path. This could potentially allow arbitrary Java code to be executed from the current directory, posing a potential security risk.

The discovery and reporting of CVE-2022-38745 were made possible by the European Commission’s Open Source Programme Office.

Although no known exploits or proof-of-concept demonstrations exist for this vulnerability, it is crucial to address it to maintain a secure environment for OpenOffice users.

Mitigation

To counter this vulnerability, users are advised to install Apache OpenOffice 4.1.14, which offers the latest maintenance and cumulative security fixes. The update can be downloaded from the Apache OpenOffice download page.

CVE-2022-47502: Macro URL arbitrary script execution without warning

Description

CVE-2022-47502 is a critical-severity vulnerability that affects Apache OpenOffice versions 4.1.13 and older. It involves documents containing links that call internal macros with arbitrary arguments. Ideally, the execution of such links should be subject to user approval. However, in the affected OpenOffice versions, approval for certain links is not requested, potentially resulting in arbitrary script execution without warning.

Altin Thartori (tin-z) was credited by Apache OpenOffice Security Team for discovery and reporting of CVE-2022-47502.

A proof-of-concept demonstration exists for this vulnerability, underscoring the importance of addressing it to protect users from possible exploitation.

Mitigation

To mitigate CVE-2022-47502, users should install Apache OpenOffice 4.1.14, which provides the latest maintenance and cumulative security fixes. The update can be downloaded from the Apache OpenOffice download page.