Apache OpenOffice, the popular office productivity suite, has recently disclosed two vulnerabilities in its package, which has now been fixed. According to the official announcement, the vulnerabilities were eliminated in the release of Apache OpenOffice 4.1.14.
The first vulnerability, identified as CVE-2022-47502, can be exploited by an attacker to place a link that causes macro in the document, with arbitrary arguments, and achieve the fulfillment of the script when the user clicks on this link or with automatically operation of the events related to the document, without any preliminary confirmation of the operation. The problem has been classified as a critical level of danger.
The second vulnerability, named CVE-2022-38745, allows OpenOffice to be tuned to add an empty search route Java classes, which can be used to launch an arbitrary Java code located in the current catalog. This vulnerability has been assigned a moderate level of danger.
It’s important to note that the vulnerabilities were initially disclosed in a security advisory published online almost a month after the release of OpenOffice 4.1.14. Users are advised to update their OpenOffice installation to the latest version and remain cautious while opening any external links present in the documents.
For more information on the vulnerabilities and mitigation steps, users can refer to the official Apache OpenOffice security page at https://www.openoffice.org/security/cves/cve-2022-38745.html.