CERT-In Vulnerability Note CIVN-2007-160
HSQLDB Database Engine Code Execution Vulnerability in OpenOffice

Original Issue Date: December 19, 2007

Severity Rating: Medium


Systems Affected

• All versions prior to OpenOffice.org 2.3.1

Overview

A vulnerability has been reported in OpenOffice which could be exploited by remote or local attackers to execute arbitrary static Java code.

Description

A vulnerability has been reported in HSQLDB, the default database engine for OpenOffice.org (all versions) due to unspecified vector. A remote attacker could exploit the vulnerability by creating specially crafted database documents and make it opened by the user to execute arbitrary static Java code on the affected system.

Solution

Update to version 2.3.1 (HSQLDB 1.8.0.9).
http://download.openoffice.org/index.html

Vendor Information

Openoffice
http://www.openoffice.org/security/cves/CVE-2007-4575.html

References

Secunia
http://secunia.com/advisories/27928/

FrSIRT
http://www.frsirt.com/english/advisories/2007/4092

Securityfocus
http://www.securityfocus.com/bid/26703

CVE Name
CVE-2007-4575

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003