LibreOffice Patches Critical Vulnerability in LibreOfficeKit - 20240702003¶
Overview¶
The Document Foundation, the organization behind the popular open-source office suite LibreOffice, has issued an urgent security advisory regarding a critical vulnerability (CVE-2024-5261) in its LibreOfficeKit component. This flaw could allow attackers to intercept or manipulate data transmitted between LibreOffice and remote servers, potentially exposing sensitive information.
LibreOfficeKit is a tool that allows C/C++ applications to access LibreOffice functionalities, enabling third-party components to leverage LibreOffice as a library for document conversion, viewing, and interaction. However, in the affected versions of LibreOffice, when used in LibreOfficeKit mode, the TLS certification verification was disabled. Specifically, curl’s option CURLOPT_SSL_VERIFYPEER was set to false, thereby bypassing crucial security checks for remote resources fetched via LibreOfficeKit.
This lapse in security means that when LibreOfficeKit accesses remote resources, such as images hosted on web servers, the authenticity of the TLS certificates was not verified. This oversight could allow malicious actors to intercept and manipulate these resources, leading to potential data breaches and other security incidents.
What is vulnerable?¶
| CVE | Severity | CVSS | Product(s) Affected |
|---|---|---|---|
| CVE-2024-5261 | High | 10.0 | LibreOffice before version 24.2.4 |
Recommendation¶
The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe (refer Patch Management):
Reference¶
- https://securityonline.info/cve-2024-5261-cvss-10-libreoffice-patches-critical-vulnerability-in-libreofficekit/
- https://www.libreoffice.org/download/download-libreoffice/
- https://nvd.nist.gov/vuln/detail/CVE-2024-5261