製品・ソフトウェアに関する情報

JVN脆弱性詳細

OpenOffice およびその他の製品で使用される Redland Raptor における任意のファイルを読まれる脆弱性

Title	OpenOffice およびその他の製品で使用される Redland Raptor における任意のファイルを読まれる脆弱性
Summary	OpenOffice、LibreOffice、およびその他の製品で使用される Redland Raptor には、任意のファイルを読まれる脆弱性が存在します。
Possible impacts	攻撃者により、巧妙に細工された XML 外部エンティティ (XXE) 宣言および RDF 文書の参照を介して、任意のファイルを読まれる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	June 17, 2012, midnight
Registration Date	June 20, 2012, 2:33 p.m.
Last Update	Dec. 3, 2012, 6:48 p.m.

CVSS2.0 : 警告
Score	4.3
Vector	AV:N/AC:M/Au:N/C:P/I:N/A:N

Affected System

OpenOffice.org Project

OpenOffice.org 3.3

OpenOffice.org 3.4 Beta

The Document Foundation

LibreOffice 3.4.6 未満

LibreOffice 3.5.1 未満の 3.5.x

Redland

Redland Raptor 2.0.7 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2012-0037	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0037
LibreOffice
2	CVE-2012-0037: XML Entity Expansion flaw by processing RDF file	http://www.libreoffice.org/advisories/CVE-2012-0037/
National Vulnerability Database (NVD)
3	CVE-2012-0037	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0037

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-200	https://jvndb.jvn.jp/ja/cwe/CWE-200.html

ベンダー情報

No	Name	URL
Debian セキュリティ勧告
1	DSA-2438	http://www.debian.org/security/2012/dsa-2438
Fedora Update Notification
2	FEDORA-2012-4629	http://lists.fedoraproject.org/pipermail/package-announce/2012-April/077708.html
3	FEDORA-2012-4663	http://lists.fedoraproject.org/pipermail/package-announce/2012-April/078242.html
GitHub
4	dajobe / raptor	https://github.com/dajobe/raptor/commit/a676f235309a59d4aa78eeffd2574ae5d341fcb0
LibreOffice
5	Top Page	http://www.libreoffice.org/
OpenOffice.org
6	Top Page	http://www.openoffice.org/
Red Hat Security Advisory
7	RHSA-2012:0410	http://rhn.redhat.com/errata/RHSA-2012-0410.html
8	RHSA-2012:0411	http://rhn.redhat.com/errata/RHSA-2012-0411.html
Redland
9	Raptor RDF Syntax Library - Release Notes	http://librdf.org/raptor/RELEASE.html#rel2_0_7
10	Top Page	http://librdf.org/raptor/
Security Advisories
11	MDVSA-2012:061	http://www.mandriva.com/en/support/security/advisories/?name=MDVSA-2012:061
12	MDVSA-2012:062	http://www.mandriva.com/en/support/security/advisories/?name=MDVSA-2012:062
13	MDVSA-2012:063	http://www.mandriva.com/en/support/security/advisories/?name=MDVSA-2012:063
The Document Foundation Blog
14	TDF announces LibreOffice 3.4.6	http://blog.documentfoundation.org/2012/03/22/tdf-announces-libreoffice-3-4-6/

Change Log

No	Changed Details	Date of change
0	[2012年06月20日] 掲載 [2012年08月27日] ベンダ情報：Fedora Project (FEDORA-2012-4663) を追加ベンダ情報：Fedora Project (FEDORA-2012-4629) を追加 [2012年12月03日] CVSS による深刻度：基本値と攻撃条件の複雑さを変更	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2012-0037

Summary	Redland Raptor (aka libraptor) before 2.0.7, as used by OpenOffice 3.3 and 3.4 Beta, LibreOffice before 3.4.6 and 3.5.x before 3.5.1, and other products, allows user-assisted remote attackers to read arbitrary files via a crafted XML external entity (XXE) declaration and reference in an RDF document.
Publication Date	June 17, 2012, 12:41 p.m.
Registration Date	Jan. 28, 2021, 2:52 p.m.
Last Update	Nov. 21, 2024, 10:34 a.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:librdf:raptor::::::::					2.0.7

Configuration2	or higher	or less	more than	less than
cpe:2.3:a:libreoffice:libreoffice:3.5.0:::::::*
cpe:2.3:a:libreoffice:libreoffice::::::::				3.4.6

Configuration3	or higher	or less	more than	less than
cpe:2.3:a:apache:openoffice:3.3.0:::::::*
cpe:2.3:a:apache:openoffice:3.4.0:beta::::::

Configuration4	or higher	or less	more than	less than
cpe:2.3:o:fedoraproject:fedora:17:::::::*
cpe:2.3:o:fedoraproject:fedora:16:::::::*

Configuration5	or higher	or less	more than	less than
cpe:2.3:o:redhat:enterprise_linux_server:5.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_server_aus:6.2:::::::*
cpe:2.3:o:redhat:enterprise_linux_workstation:5.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_server:6.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_desktop:5.0:::::::*
cpe:2.3:a:redhat:storage:2.0:::::::*
cpe:2.3:a:redhat:storage_for_public_cloud:2.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_eus:6.2:::::::*
cpe:2.3:a:redhat:gluster_storage_server_for_on-premise:2.0:::::::*

Configuration6		or higher	or less	more than	less than
cpe:2.3:o:debian:debian_linux:6.0:::::::*

Related information, measures and tools

No	URL	タグ
1	http://blog.documentfoundation.org/2012/03/22/tdf-announces-libreoffice-3-4-6/	Release Notes
2	http://librdf.org/raptor/RELEASE.html#rel2_0_7	Release Notes
3	http://lists.fedoraproject.org/pipermail/package-announce/2012-April/077708.html	Mailing List
4	http://lists.fedoraproject.org/pipermail/package-announce/2012-April/078242.html	Mailing List
5	http://rhn.redhat.com/errata/RHSA-2012-0410.html	Third Party Advisory
6	http://rhn.redhat.com/errata/RHSA-2012-0411.html	Third Party Advisory
7	http://secunia.com/advisories/48479	Broken Link Vendor Advisory
8	http://secunia.com/advisories/48493	Broken Link Vendor Advisory
9	http://secunia.com/advisories/48494	Broken Link
10	http://secunia.com/advisories/48526	Broken Link Vendor Advisory
11	http://secunia.com/advisories/48529	Broken Link Vendor Advisory
12	http://secunia.com/advisories/48542	Broken Link Vendor Advisory
13	http://secunia.com/advisories/48649	Broken Link
14	http://secunia.com/advisories/50692	Broken Link
15	http://secunia.com/advisories/60799	Broken Link
16	http://security.gentoo.org/glsa/glsa-201209-05.xml	Third Party Advisory
17	http://vsecurity.com/resources/advisory/20120324-1/	Broken Link
18	http://www.debian.org/security/2012/dsa-2438	Third Party Advisory
19	http://www.gentoo.org/security/en/glsa/glsa-201408-19.xml	Third Party Advisory
20	http://www.libreoffice.org/advisories/CVE-2012-0037/	Vendor Advisory
21	http://www.mandriva.com/security/advisories?name=MDVSA-2012:061	Broken Link
22	http://www.mandriva.com/security/advisories?name=MDVSA-2012:062	Broken Link
23	http://www.mandriva.com/security/advisories?name=MDVSA-2012:063	Broken Link
24	http://www.openoffice.org/security/cves/CVE-2012-0037.html	Mitigation Patch
25	http://www.openwall.com/lists/oss-security/2012/03/27/4	Exploit Mailing List
26	http://www.osvdb.org/80307	Broken Link
27	http://www.securityfocus.com/bid/52681	Broken Link Third Party Advisory VDB Entry
28	http://www.securitytracker.com/id?1026837	Broken Link Third Party Advisory VDB Entry
29	https://exchange.xforce.ibmcloud.com/vulnerabilities/74235	Third Party Advisory VDB Entry
30	https://github.com/dajobe/raptor/commit/a676f235309a59d4aa78eeffd2574ae5d341fcb0	Patch
31	https://lists.apache.org/thread.html/re0504f08000df786e51795940501e81a5d0ae981ecca68141e87ece0%40%3Ccommits.openoffice.apache.org%3E	Mailing List Patch
32	http://blog.documentfoundation.org/2012/03/22/tdf-announces-libreoffice-3-4-6/	Release Notes
33	https://lists.apache.org/thread.html/re0504f08000df786e51795940501e81a5d0ae981ecca68141e87ece0%40%3Ccommits.openoffice.apache.org%3E	Mailing List Patch
34	https://github.com/dajobe/raptor/commit/a676f235309a59d4aa78eeffd2574ae5d341fcb0	Patch
35	https://exchange.xforce.ibmcloud.com/vulnerabilities/74235	Third Party Advisory VDB Entry
36	http://www.securitytracker.com/id?1026837	Broken Link Third Party Advisory VDB Entry
37	http://www.securityfocus.com/bid/52681	Broken Link Third Party Advisory VDB Entry
38	http://www.osvdb.org/80307	Broken Link
39	http://www.openwall.com/lists/oss-security/2012/03/27/4	Exploit Mailing List
40	http://www.openoffice.org/security/cves/CVE-2012-0037.html	Mitigation Patch
41	http://www.mandriva.com/security/advisories?name=MDVSA-2012:063	Broken Link
42	http://www.mandriva.com/security/advisories?name=MDVSA-2012:062	Broken Link
43	http://www.mandriva.com/security/advisories?name=MDVSA-2012:061	Broken Link
44	http://www.libreoffice.org/advisories/CVE-2012-0037/	Vendor Advisory
45	http://www.gentoo.org/security/en/glsa/glsa-201408-19.xml	Third Party Advisory
46	http://www.debian.org/security/2012/dsa-2438	Third Party Advisory
47	http://vsecurity.com/resources/advisory/20120324-1/	Broken Link
48	http://security.gentoo.org/glsa/glsa-201209-05.xml	Third Party Advisory
49	http://secunia.com/advisories/60799	Broken Link
50	http://secunia.com/advisories/50692	Broken Link
51	http://secunia.com/advisories/48649	Broken Link
52	http://secunia.com/advisories/48542	Broken Link Vendor Advisory
53	http://secunia.com/advisories/48529	Broken Link Vendor Advisory
54	http://secunia.com/advisories/48526	Broken Link Vendor Advisory
55	http://secunia.com/advisories/48494	Broken Link
56	http://secunia.com/advisories/48493	Broken Link Vendor Advisory
57	http://secunia.com/advisories/48479	Broken Link Vendor Advisory
58	http://rhn.redhat.com/errata/RHSA-2012-0411.html	Third Party Advisory
59	http://rhn.redhat.com/errata/RHSA-2012-0410.html	Third Party Advisory
60	http://lists.fedoraproject.org/pipermail/package-announce/2012-April/078242.html	Mailing List
61	http://lists.fedoraproject.org/pipermail/package-announce/2012-April/077708.html	Mailing List
62	http://librdf.org/raptor/RELEASE.html#rel2_0_7	Release Notes

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-611	XML 外部エンティティ参照の不適切な制限	https://cwe.mitre.org/data/definitions/611.html

Configuration5	or higher	or less	more than	less than
cpe:2.3:o:redhat:enterprise_linux_server:5.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_server_aus:6.2:::::::*
cpe:2.3:o:redhat:enterprise_linux_workstation:5.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_server:6.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_desktop:5.0:::::::*
cpe:2.3:a:redhat:storage:2.0:::::::*
cpe:2.3:a:redhat:storage_for_public_cloud:2.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_eus:6.2:::::::*
cpe:2.3:a:redhat:gluster_storage_server_for_on-premise:2.0:::::::*