Vulnerability Name:

CVE-2014-9527 (CCN-99799)

Assigned:2014-12-07
Published:2014-12-07
Updated:2017-02-11
Summary:HSLFSlideShow in Apache POI before 3.11 allows remote attackers to cause a denial of service (infinite loop and deadlock) via a crafted PPT file.
CVSS v3 Severity:5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Low
CVSS v2 Severity:5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
Vulnerability Type:CWE-399
Vulnerability Consequences:Denial of Service
References:Source: MITRE
Type: CNA
CVE-2014-9527

Source: FEDORA
Type: UNKNOWN
FEDORA-2015-2090

Source: CCN
Type: Apache Web site
History of Changes

Source: CONFIRM
Type: UNKNOWN
http://poi.apache.org/changes.html

Source: CCN
Type: RHSA-2016-1135
Important: Red Hat JBoss Data Virtualization security and bug fix update

Source: SECUNIA
Type: UNKNOWN
61953

Source: CONFIRM
Type: UNKNOWN
http://www-01.ibm.com/support/docview.wss?uid=swg21996759

Source: CCN
Type: IBM Security Bulletin 1989525 (Maximo Asset Management)
Multiple vulnerabilities in Apache POI affect Asset and Service Management

Source: CCN
Type: IBM Security Bulletin 1991839 (WebSphere Dashboard Framework)
IBM WebSphere Dashboard Framework is affected by multiple security vulnerabilities in Apache POI

Source: CCN
Type: IBM Security Bulletin 1991845 (Web Experience Factory)
IBM Web Experience Factory is affected by multiple security vulnerabilities in Apache POI

Source: CCN
Type: IBM Security Bulletin 1991969 (PredictiveInsight)
Multiple vulnerabilities in Apache POI affect IBM PredictiveInsight

Source: CCN
Type: IBM Security Bulletin 1994719 (Security QRadar SIEM)
Apache POI as used in IBM QRadar SIEM is vulnerable to variousCVEs.

Source: CCN
Type: IBM Security Bulletin 1996759 (InfoSphere Information Server)
Vulnerabilities in Apache POI affects IBM InfoSphere Information Server

Source: CCN
Type: IBM Security Bulletin 1999965 (Rational Collaborative Lifecycle Management)
Multiple vulnerabilities in IBM Jazz Team Server affect IBM Rational products based on IBM Jazz technology

Source: CCN
Type: IBM Security Bulletin 2009259 (Cognos Business Intelligence)
IBM Cognos Business Intelligence Server 2017Q3 Security Updater : IBM Cognos Business Intelligence Server is affected by multiple vulnerabilities.

Source: CCN
Type: IBM Security Bulletin 2010049 (Control Center)
Multiple vulnerabilities in IBM Cognos affect IBM Control Center (CVE-2012-0213, CVE-2014-3574, CVE-2014-3529, CVE-2014-9527)

Source: CCN
Type: IBM Security Bulletin 2015565 (Campaign)
Multiple Open Source Apache POI Vulnerabilities Impact IBM Campaign

Source: CCN
Type: IBM Security Bulletin 2016039 (Cognos Analytics)
Multiple Vulnerabilities in IBM Cognos Analytics

Source: BID
Type: UNKNOWN
77726

Source: CCN
Type: BID-77726
POI CVE-2014-9527 Denial-Of-Service Vulnerability

Source: REDHAT
Type: UNKNOWN
RHSA-2016:1135

Source: XF
Type: UNKNOWN
apache-poi-cve20149527-dos(99799)

Source: CONFIRM
Type: UNKNOWN
https://issues.apache.org/bugzilla/show_bug.cgi?id=57272

Source: CCN
Type: IBM Security Bulletin 1991080 (eDiscovery Manager)
OpenSource Apache Poi Vulnerabilities in IBM eDiscovery Manager

Vulnerable Configuration:Configuration 1:
  • cpe:/o:fedoraproject:fedora:20:*:*:*:*:*:*:*

    • Configuration 2:
  • cpe:/a:apache:poi:*:beta3:*:*:*:*:*:* (Version <= 3.11)

    • Configuration CCN 1:
  • cpe:/a:apache:poi:3.11:beta3:*:*:*:*:*:*
  • AND
  • cpe:/a:ibm:maximo_asset_management:7.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:maximo_asset_management:7.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:infosphere_information_server:8.7:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:infosphere_information_server:9.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cognos_business_intelligence:10.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cognos_business_intelligence:10.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.1.1:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_dashboard_framework:7.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:web_experience_factory:8.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cognos_business_intelligence:10.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:campaign:8.6:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:campaign:9.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:maximo_asset_management:7.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cognos_business_intelligence:10.2.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:redhat:jboss_data_virtualization:*:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:web_experience_factory:8.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:web_experience_factory:8.5.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:infosphere_information_server:11.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_collaborative_lifecycle_management:4.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_collaborative_lifecycle_management:4.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_collaborative_lifecycle_management:4.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_collaborative_lifecycle_management:4.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_collaborative_lifecycle_management:4.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_collaborative_lifecycle_management:4.0.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_collaborative_lifecycle_management:4.0.6:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_collaborative_lifecycle_management:5.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_collaborative_lifecycle_management:4.0.7:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_collaborative_lifecycle_management:5.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cognos_business_intelligence:10.2.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:maximo_asset_management:7.6:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_collaborative_lifecycle_management:5.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:campaign:9.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:control_center:6.0.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_collaborative_lifecycle_management:6.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:infosphere_information_server:11.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_collaborative_lifecycle_management:6.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:campaign:9.1.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_collaborative_lifecycle_management:6.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:campaign:10.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_collaborative_lifecycle_management:6.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:control_center:6.1.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cognos_analytics:11.0.0:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    fedoraproject fedora 20
    apache poi * beta3
    apache poi 3.11 beta3
    ibm maximo asset management 7.1
    ibm maximo asset management 7.5
    ibm infosphere information server 8.7
    ibm infosphere information server 9.1
    ibm cognos business intelligence 10.1.1
    ibm cognos business intelligence 10.2
    ibm qradar security information and event manager 7.1.1 -
    ibm websphere dashboard framework 7.0.1
    ibm web experience factory 8.0
    ibm cognos business intelligence 10.2.1
    ibm campaign 8.6
    ibm campaign 9.1
    ibm qradar security information and event manager 7.2
    ibm maximo asset management 7.1.1
    ibm cognos business intelligence 10.2.1.1
    redhat jboss data virtualization *
    ibm web experience factory 8.5
    ibm web experience factory 8.5.0.1
    ibm infosphere information server 11.3
    ibm rational collaborative lifecycle management 4.0
    ibm rational collaborative lifecycle management 4.0.1
    ibm rational collaborative lifecycle management 4.0.2
    ibm rational collaborative lifecycle management 4.0.3
    ibm rational collaborative lifecycle management 4.0.4
    ibm rational collaborative lifecycle management 4.0.5
    ibm rational collaborative lifecycle management 4.0.6
    ibm rational collaborative lifecycle management 5.0
    ibm rational collaborative lifecycle management 4.0.7
    ibm rational collaborative lifecycle management 5.0.1
    ibm cognos business intelligence 10.2.2
    ibm maximo asset management 7.6
    ibm rational collaborative lifecycle management 5.0.2
    ibm campaign 9.1.1
    ibm control center 6.0.0.1
    ibm rational collaborative lifecycle management 6.0
    ibm infosphere information server 11.5
    ibm rational collaborative lifecycle management 6.0.1
    ibm campaign 9.1.2
    ibm rational collaborative lifecycle management 6.0.2
    ibm campaign 10.0
    ibm rational collaborative lifecycle management 6.0.3
    ibm control center 6.1.0.1
    ibm cognos analytics 11.0.0.0