IBM0B000A0891A3DD2B6FEEDDE868C5765ECFB2CF839563136900F2FFB29F7ED71CSecurity Bulletin: Atlas eDiscovery Process Management is affected by a vulnerable poi-ooxml-3.9.jar
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
7.1 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:N/I:N/A:C
0.014 Low
EPSS
Percentile
86.2%
Summary
Atlas eDiscovery Process Management is affected by a vulnerable poi-ooxml-3.9.jar. Hence poi-ooxml-3.9.jar upgraded to poi-ooxml-4.0.jar to fix vulnerabilities.
Vulnerability Details
CVEID:CVE-2017-5644
**DESCRIPTION:**Apache POI is vulnerable to a denial of service, cause by an XML External Entity Injection (XXE) error when processing XML data. By using a specially-crafted OOXML file, a remote attacker could exploit this vulnerability to consume all available CPU resources.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/123699 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID:CVE-2019-12415
**DESCRIPTION:**Apache POI could allow a remote attacker to obtain sensitive information, caused by an XML external entity (XXE) error when processing XML data by tool XSSFExportToXml. By sending a specially-crafted document, a remote attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/170015 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID:CVE-2014-3574
**DESCRIPTION:**Apache POI is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. An attacker could exploit this vulnerability using a specially-crafted OOXML file to consume all available CPU resources and cause a denial of service.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/95768 for the current score.
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CVEID:CVE-2014-3529
**DESCRIPTION:**Apache POI could allow a remote attacker to obtain sensitive information, caused by an XML External Entity Injection (XXE) error within the OPC SAX setup. An attacker could exploit this vulnerability using a specially-crafted OpenXML file containing an XML external entity declaration to read arbitrary files on the system.
CVSS Base score: 5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/95770 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| Atlas eDiscovery Process Management | 6.0.3 |
Remediation/Fixes
_ Product_
|
_ VRMF_
|
_ Remediation/First Fix_
โ|โ|โ
Atlas eDiscovery Process Management
|
6.0.3
|
Apply Fix Pack 6.0.3.9 Interim fix 7, available from Fix Central
Workarounds and Mitigations
None
| CPE | Name | Operator | Version |
|---|---|---|---|
| atlas ediscovery process management | eq | 6.0.3.9 |
Related
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
7.1 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:N/I:N/A:C
0.014 Low
EPSS
Percentile
86.2%