CVE-2022-26336 - Vulnerability in Apache POI's HMEF Package Causes Out of Memory Exception

CVE-2022-26336 is a newly identified vulnerability in the HMEF package of Apache POI's poi-scratchpad library. This package is commonly used for parsing TNEF files, specifically those coming from Microsoft Outlook and Microsoft Exchange Server. When exploited, an attacker can cause an Out of Memory exception in the victim's system. This could potentially lead to a Denial of Service (DoS) attack, render affected applications unusable, and cause significant disruptions.

Affected Versions

This vulnerability affects poi-scratchpad version 5.2., as well as earlier versions.

The Exploit

An attacker can exploit this vulnerability by crafting a TNEF file designed to cause an Out of Memory exception when parsed using the HMEF package of poi-scratchpad. If an application that utilizes poi-scratchpad allows untrusted users to supply TNEF files, then the attacker could potentially cause the application to fail and disrupt normal operations.

Here's an example of how the code in an affected application might look like

import org.apache.poi.hmef.HMEFMessage;
import org.apache.poi.hmef.attribute.TNEFAttribute;
import java.io.FileInputStream;
import java.io.IOException;

public class ParseTNEF {
    
    public static void main(String[] args) throws IOException {
        // Read TNEF file input
        FileInputStream fis = new FileInputStream("path/to/tnef-file");
        // Create HMEF message instance
        HMEFMessage message = new HMEFMessage(fis);
        // Get attributes of the TNEF file
        for (TNEFAttribute attr : message.getMessageAttributes()) {
            System.out.println("Attribute: " + attr.getName());
        }        
    }
}

In this example, the application reads a TNEF file from a specified path, and then retrieves and prints its attributes. An attacker could supply a crafted TNEF file that triggers the Out of Memory exception when parsed using the affected versions of poi-scratchpad.

Mitigation

To mitigate this vulnerability, users are advised to upgrade to poi-scratchpad version 5.2.1. If upgrading is not a viable option, developers can implement input validation and resource consumption limits to reduce the risk of potential attacks.

For more information on CVE-2022-26336, consult the following sources

1. Apache POI's Announcement: CVE-2022-26336 - Out of Memory in the HMEF Package
2. NVD - National Vulnerability Database: CVE-2022-26336 Detail

Conclusion

CVE-2022-26336 is a critical vulnerability in the HMEF package of Apache POI's poi-scratchpad library, which affects applications using it for parsing TNEF files. By crafting a malicious file, an attacker can cause an Out of Memory exception leading to application failure and potential service disruptions. To protect your systems from this vulnerability, upgrade to poi-scratchpad 5.2.1, or implement input validation and resource consumption limits.

Timeline

Published on: 03/04/2022 16:15:00 UTC
Last modified on: 03/22/2022 19:16:00 UTC