# java.lang.IllegalStateException in `org.apache.poi.xssf.usermodel.XSSFHyperlink.<init>::XSSFHyperlink.java:76` poi 5.1.0 This vulnerability is of java.lang.IllegalStateException, and can be triggered in latest version poi (5.1.0). It is caused by invoking a method at an inappropriate time and can can be used for attackers to launch DoS (Denial of Service) attack for any java program that uses this library (since the user of metadata-extractor doesn't know they need to catch this kind of exception) ( CWE-248: Uncaught exception). Likely, the root cause of this crash is in `org.apache.poi.xssf.usermodel.XSSFHyperlink.<init>::XSSFHyperlink.java:76`. See more detail from the following crash stack. # Crash stack: The crash thread's stack is as follows: ``` org.apache.poi.xssf.usermodel.XSSFHyperlink.<init>::XSSFHyperlink.java:76 org.apache.poi.xssf.usermodel.XSSFSheet.initHyperlinks::XSSFSheet.java:239 org.apache.poi.xssf.usermodel.XSSFSheet.read::XSSFSheet.java:189 org.apache.poi.xssf.usermodel.XSSFSheet.onDocumentRead::XSSFSheet.java:159 org.apache.poi.xssf.usermodel.XSSFWorkbook.parseSheet::XSSFWorkbook.java:448 org.apache.poi.xssf.usermodel.XSSFWorkbook.onDocumentRead::XSSFWorkbook.java:413 org.apache.poi.ooxml.POIXMLDocument.load::POIXMLDocument.java:169 org.apache.poi.xssf.usermodel.XSSFWorkbook.<init>::XSSFWorkbook.java:275 org.apache.poi.xssf.usermodel.XSSFWorkbook.<init>::XSSFWorkbook.java:296 com.test.Entry.main::Entry.java:32 ``` # Steps to reproduce: 1. Build the following java code with the corresponding poi library (version 5.1.0). ``` ## Download poi_env_reproduce.zip from https://drive.google.com/file/d/1N4gUC0MF-SAN-Xz0van0_7TbNj4aUuFd/view?usp=sharing unzip poi_env_reproduce.zip cd poi_env_reproduce bash build.sh ``` 2. Run the built program to see the crash by feeding one of the poc file contained in the pocs.tar.gz, e.g. : ```bash java -jar target/Entry-1.0-SNAPSHOT-jar-with-dependencies.jar pocs/crash-5a6edeb2f92c65a5e64ea2934911a0a9a5b4bda5 ``` Any further discussion for this vulnerability including fix is welcomed! Feel free to contact me at wenjiezander@gmail.com (https://github.com/ZanderHuang)
The poc file and report can be downloaded from https://drive.google.com/drive/folders/1RsDEtpjmv3adeLg0E0H4g4FicUKxdpgG?usp=sharing
Created attachment 38133 [details] The poc file causes java.lang.IllegalStateException in `org.apache.poi.xssf.usermodel.XSSFHyperlink.<init>::XSSFHyperlink.java:76` poi 5.1.0
marking all these as need info - can you explain in plain English what you are testing? are you testing that POI can't handle garbage input? and what do you expect POI to do when it gets garbage input?
I would argue that noone should be accepting microsoft format files from untrusted sources. It is up to anybody you decides to expose themselves to accepting rogue files that they should validate the inputs before parsing it with POI.
(In reply to PJ Fanning from comment #4) > I would argue that noone should be accepting microsoft format files from > untrusted sources. It is up to anybody you decides to expose themselves to > accepting rogue files that they should validate the inputs before parsing it > with POI. Yes, POI may not handle all kinds of checks/validations by itself. I suggest POI can wrap the exceptions as xxxException accordingly. Therefore, user can properly handle the error when it happens. [ CWE 248 Uncaught exception (https://cwe.mitre.org/data/definitions/248.html)] In the meantime, I am testing the unreleased version 5.2.0-SNAPSHOT. Is there an easy way to build this version?
https://ci-builds.apache.org/job/POI/job/POI-DSL-1.8/lastSuccessfulBuild/artifact/ ... contains the latest nightly.
I have tested in 5.2.0-SNAPSHOT taken from https://ci-builds.apache.org/job/POI/job/POI-DSL-1.8/lastSuccessfulBuild/artifact/build/dist/ This bug is fixed and the exception is caught by newly implemented POIXMLException