OpenOffice Macro vulnerability might lead to arbitrary script exectution

In the beginning of this year I discovered that the macro vulnerability in LibreOffice (CVE-2022-3140) also existed in OpenOffice and reported this through responsible disclosure to the developers of OpenOffice. It is now fixed in release version 4.1.14.

So what the vulnerability exactly does is the following:

I’ve installed OpenOffice 4.1.13 (Apache_OpenOffice_4.1.13_Win_x86_install_en-US.exe) and noticed that if I open a file that contains the following command in OpenOffice Writer the calculator is opened on my computer.

  <iframe src='macro:Shell("calc.exe")'></iframe>

This happens although Macro Security is set to high.

The vulnerablity was assigned the following number and title: “CVE-2022-47502: Apache OpenOffice: Macro URL arbitrary script execution”.

For further information see the following links:

https://www.openoffice.org/security/cves/CVE-2022-47502.html

https://www.cve.org/CVERecord?id=CVE-2022-47502

https://www.libreoffice.org/about-us/security/advisories/cve-2022-3140/

https://twitter.com/joernchen/status/1582367523710054403

This vulnerability was also disclosed independently by Altin Thartori (tin-z).

Responible disclosure timeline (excerpt):

• 19/01/2023: Discovery and reporting to security@openoffice.apache.org
• 20/01/2023: Respone from OpenOffice with test build
• 20/01/2023: Confirmation that test build fixes the vulnerability
• 27/02/2023: Release of Apache OpenOffice 4.1.14 which closes the vulnerability
• 24/03/2023: Publishing of CVE on https://www.cve.org/CVERecord?id=CVE-2022-47502
• 01/04/2023: Announcement of vulnerabilitiy on OpenOffice Mailing List

• ← Previous
Next →