05.03.17

Background Information

MarkLogic has released an update that addresses a security issue discovered in the MarkLogic document conversion mechanism. See below for more information about the MarkLogic release that patches this issue.

Impact

MarkLogic can convert Office documents. This capability relies on functionality provided by Antenna House (Office2HTML) that is invoked explicitly through the function xdmp:word-convert, xdmp:excel-convert, xdmp:powerpoint-convert or implicitly through use of the MarkLogic document conversion pipeline.

Antenna House has incorporated fixes into their most recent release. MarkLogic has issued an update that includes these fixes.

The following CVEs for Antenna House have been published:

CVE Description CVSS v3 Score
CVE-2016-8382 Exploitable heap corruption 8.3 – AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
CVE-2016-8383 Exploitable heap corruption 8.3 – AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
CVE-2016-8384 Exploitable heap corruption 8.3 – AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
CVE-2017-2783 Exploitable heap corruption 8.3 – AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
CVE-2017-2792 Exploitable heap corruption 8.3 – AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
CVE-2017-2793 Exploitable heap corruption 8.3 – AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
CVE-2017-2794 Exploitable stack-based buffer overflow 8.3 – AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
CVE-2017-2795 Exploitable heap corruption 8.3 – AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
CVE-2017-2797 Exploitable heap overflow 8.3 – AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
CVE-2017-2798 Exploitable heap corruption 8.3 – AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
CVE-2017-2799 Exploitable heap corruption 8.3 – AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

These are considered to be vulnerabilities of “High” severity based on CVSS base scores in excess of 7.0. A carefully crafted file could be used to cause arbitrary code execution in some cases.

Resolution

The latest version of Antenna House (v1.1-2017-0321) patches the security issues listed above. The newer version is incorporated into MarkLogic 8.0-6.4. See below for installation and download information.

Additional Information

MarkLogic 8.0-6.4 is available for download at: http://developer.marklogic.com/products.

For more information on MarkLogic text extraction and document conversion, see here:

Knowledgebase article here: https://help.marklogic.com/Knowledgebase/Article/View/xxx/.

Acknowledgements

MarkLogic would like to thank Cisco Talos and Marcin Noga for making MarkLogic aware of the security issues described in this bulletin.

Additionally, MarkLogic would like to thank Antenna House for their support.

This website uses cookies.

By continuing to use this website you are giving consent to cookies being used in accordance with the MarkLogic Privacy Statement.