CVE-2017-12626

Apache POI in versions prior to release 3.17 are vulnerable to Denial of Service Attacks: 1) Infinite Loops while parsing crafted WMF, EMF, MSG and macros (POI bugs 61338 and 61294), and 2) Out of Memory Exceptions while parsing crafted DOC, PPT and XLS (POI bugs 52372 and 61295).

Weakness

The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.

Affected Software

Name	Vendor	Start Version	End Version
Poi	Apache	*	3.17 (excluding)
Red Hat JBoss A-MQ 6.3	RedHat	poi	*
Red Hat JBoss Fuse 6.3	RedHat	poi	*
Libapache-poi-java	Ubuntu	artful	*
Libapache-poi-java	Ubuntu	bionic	*
Libapache-poi-java	Ubuntu	cosmic	*
Libapache-poi-java	Ubuntu	esm-apps/bionic	*
Libapache-poi-java	Ubuntu	esm-apps/xenial	*
Libapache-poi-java	Ubuntu	trusty	*
Libapache-poi-java	Ubuntu	upstream	*
Libapache-poi-java	Ubuntu	xenial	*

References

http://www.securityfocus.com/bid/102879
https://access.redhat.com/errata/RHSA-2018:1322
https://lists.apache.org/thread.html/453d9af5dbabaccd9afb58d27279a9dbfe8e35f4e5ea1645ddd6960b%40%3Cdev.poi.apache.org%3E
https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E
https://www.oracle.com/security-alerts/cpuApr2021.html
https://www.oracle.com/security-alerts/cpuapr2020.html
https://www.oracle.com/security-alerts/cpujan2020.html
https://www.oracle.com/security-alerts/cpujan2021.html
https://www.oracle.com/security-alerts/cpujul2020.html
https://www.oracle.com/security-alerts/cpuoct2020.html
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

NVD	https://nvd.nist.gov/vuln/detail/CVE-2017-12626
CWE	https://cwe.mitre.org/data/definitions/835.html

Loop with Unreachable Exit Condition ('Infinite Loop')

Weakness

Affected Software

References