VRDAフィード：脆弱性脅威分析用情報の定型データ配信

VRDA Feed by

Vulnerability Response Decision Assistance Feed : 脆弱性脅威分析用情報の定型データ配信

[ about VRDA Feed | JPCERT/CC ]

分析対象脆弱性情報 (リビジョン番号 : 1)

[ Download XML ]

VRDA-100215-002

OpenOffice.org における複数の脆弱性に対するアップデート

http://development.openoffice.org/releases/3.2.0.html

These notes contain changes between DEV300_m41 and DEV300_m60 + OOO320_m1 and OOO320_m12.

この情報について

分析情報提供元:

JPCERT/CC

初版公開日:

2010-02-15

分析対象脆弱性情報の分類:

アドバイザリ・注意喚起

最終更新日:

2010-02-15

脆弱性の影響を受ける製品の識別子

lapt:/a:openoffice.org:openoffice (OpenOffice)

脆弱性の分析内容

[分析に利用した情報の信頼性]^[?]

低^[?]

中^[?]

高^[?]

[影響の大きさ]^[?]

小^[?]

小～中^[?]

中～大^[?]

大^[?]

[攻撃経路]^[?]

物理アクセス^[?]

ローカルマシン上^[?]

同一セグメント上^[?]

インターネット経由^[?]

[認証レベル]^[?]

管理者アカウント^[?]

一般ユーザアカウント^[?]

フリーアカウント^[?]

不要^[?]

[攻撃成立に必要なユーザの関与]^[?]

複雑^[?]

簡単^[?]

不要^[?]

[攻撃の難易度]^[?]

高^[?]

中～高^[?]

低～中^[?]

低^[?]

[対策の有無]^[?]

公式パッチ有り^[?]

公式回避策有り^[?]

非公式回避策・パッチ有り^[?]

なし^[?]

[インシデントの発生状況]^[?]

活動なし^[?]

Exploit/PoCあり^[?]

活動あり^[?]

関連情報

参考情報

Common Vulnerabilities and Exposures (CVE) CVE-2006-4339

OpenSSL before 0.9.7, 0.9.7 before 0.9.7k, and 0.9.8 before 0.9.8c,when using an RSA key with exponent 3, removes PKCS-1 padding beforegenerating a hash, which allows remote attackers to forge a PKCS #1v1.5 signature that is signed by that RSA key and prevents OpenSSLfrom correctly verifying X.509 and other certificates that use PKCS #1.

Common Vulnerabilities and Exposures (CVE) CVE-2009-0217

The design of the W3C XML Signature Syntax and Processing (XMLDsig)recommendation, as implemented in products including (1) the OracleSecurity Developer Tools component in Oracle Application Server10.1.2.3, 10.1.3.4, and 10.1.4.3IM; (2) the WebLogic Server componentin BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0, and 8.1 SP6;(3) Mono before 2.4.2.2; (4) XML Security Library before 1.2.12; (5)IBM WebSphere Application Server Versions 6.0 through 6.0.2.33, 6.1through 6.1.0.23, and 7.0 through 7.0.0.1; (6) Sun JDK and JRE Update14 and earlier; and other products uses a parameter that defines anHMAC truncation length (HMACOutputLength) but does not require aminimum for this length, which allows attackers to spoof HMAC-basedsignatures and bypass authentication by specifying a truncation lengthwith a small number of bits.

Common Vulnerabilities and Exposures (CVE) CVE-2009-2493

The Active Template Library (ATL) in Microsoft Visual Studio .NET 2003SP1, Visual Studio 2005 SP1 and 2008 Gold and SP1, and Visual C++ 2005SP1 and 2008 Gold and SP1; and Windows 2000 SP4, XP SP2 and SP3,Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 Gold andSP2; does not properly restrict use of OleLoadFromStream ininstantiating objects from data streams, which allows remote attackersto execute arbitrary code via a crafted HTML document with an ATL (1)component or (2) control, related to ATL headers and bypassingsecurity policies, aka "ATL COM Initialization Vulnerability."

Common Vulnerabilities and Exposures (CVE) CVE-2009-2949

Common Vulnerabilities and Exposures (CVE) CVE-2009-2950

Common Vulnerabilities and Exposures (CVE) CVE-2009-3301

Common Vulnerabilities and Exposures (CVE) CVE-2009-3302