SB2023032503 - Remote code execution in OpenOffice

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Code Injection (CVE-ID: CVE-2022-38745)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation. A remote attacker can trick the victim to open a specially crafted file and execute arbitrary Java code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

2) Input validation error (CVE-ID: CVE-2022-47502)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to insufficient validation of user-supplied input when executing internal macro with arbitrary arguments. A remote attacker can trick the victim to open a specially crafted file, bypass the user approval for opening the links from the document and execute arbitrary script on the system.

Remediation

Install update from vendor's website.

References

• https://www.openoffice.org/security/cves/CVE-2022-38745.html
• https://lists.apache.org/thread/q3noq7m681kvtb29m28x74q8cnwnzzo0
• https://www.openoffice.org/security/cves/CVE-2022-47502.html
• https://lists.apache.org/thread/xr6tl91jj2jgcq8pdbrc4d8w13s6xn80