Apache OpenOffice remote code execution flaw [CVE-2021-33035]
CVE number = CVE-2021-33035
Security researcher Eugene Lim (@spaceraccoonsec) has revealed technical details about a remote code execution flaw in Apache OpenOffice. The experts disclosed the flaw at HackerOne’s Hacktivity online conference after the company failed to address the vulnerability by August 30th 2021.
An attacker could trigger the flaw by tricking the victim into opening a specially crafted .dbf file.
At the time of blog post, the flaw was only addressed with a beta software update and awaits the official release.
CVE-2021-33035: RCE in Apache OpenOffice up to 4.1.10 – pure memory corruption. Just talked about it at #hacktivitycon and full writeup at https://t.co/qYutUfml6J. More to come on CVE-2021-38646 Microsoft Office RCE… pic.twitter.com/S3xmiHYYw8
— spaceraccoon 🦝 | Eugene Lim (@spaceraccoonsec) September 18, 2021
The beta installers that address the issue are available here and the source code that contains the patch is here.
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.