The Apache Software Foundation (ASF) has released Apache OpenOffice 4.1.11, which fixes a handful of security vulnerabilities, including CVE-2021-33035, a recently revealed RCE vulnerability that could be triggered via a specially crafted document.
About Apache OpenOffice
Apache OpenOffice is an open-source office productivity suite that includes a word processor (Writer), a spreadsheet tool (Calc), a presentation editor (Impress), a vector graphics drawing editor (Draw), a mathematical formula editor (Math), and a database management program (Base).
It is developed by the Apache Software Foundation and welcomes contributions from its code community. According to the ASF, since its initial release it has been downloaded by hundreds of millions of users: individuals as well as businesses and organizations.
The suite is available for Windows, macOS and Linux.
The fixed vulnerabilities
As previously mentioned, the fix for CVE-2021-33035 has finally found its way into an official release of the suite.
CVE-2021-41830 and CVE-2021-41832 allow attackers to manipulate signed documents and macros to appear to come from a trusted source, and CVE-2021-41831 allows the manipulation of the timestamp of signed documents. These vulnerabilities were uncovered by researchers Simon Rohlmann, Vladislav Mladenov, Christian Mainka, and Jorg Schwenk of Ruhr University Bochum, Germany, and also affect LibreOffice (they have been fixed in LibreOffice 7.0.6/7.1.2).
Finally, Apache has fixed CVE-2021-28129, a potential security issue with the suite’s DEB package.
For information about other bugs fixed and enhancements/features introduced in Apache OpenOffice 4.1.11, check out the release notes.
“All users of Apache OpenOffice 4.1.10 or earlier are strongly advised to upgrade,” the ASF noted. “Windows 11 users can now also get Apache OpenOffice for selected languages in the Microsoft Store.”