Apache POI contains a flaw that may allow a remote denial of service. The issue is triggered when a validation check of the length attribute is not performed in the UnhandledDataStructure() constructor in src/org/apache/poi/hwpf/model/UnhandledDataStructure.java when handling CDF or CFBF files. This will result in a loss of availability for the program.

Currently, there are no known workarounds or upgrades to correct this issue. However, Debian has released a patch to address this vulnerability. Check the vendor changelog in the references section.

• CVE ID: 2012-0213 (see also: NVD)
• Secunia Advisory ID: 49040 49292 50549
• Mail List Post: http://lists.fedoraproject.org/pipermail/package-announce/2012-August/084609.html
• Vendor Specific News/Changelog Entry: http://lists.opensuse.org/opensuse-updates/2012-05/msg00038.html
  http://www.debian.org/security/2012/dsa-2468
  https://bugzilla.redhat.com/show_bug.cgi?id=799078
• RedHat RHSA: RHSA-2012:1232

• Not Available