Researchers at Ruhr-University Bochum's Chair for Network and Data Security discovered and reported various vulnerabilities in Apache OpenOffice and LibreOffice that could be exploited to modify documents to seem they have been digitally signed by a trusted source, according to The Hacker News.
Threat actors could abuse the flaws — which include a content and macro manipulation with double certificate attack issue, tracked as CVE-2021-41830 and CVE-2021-25633; a timestamp manipulation with signature wrapping bug, tracked as CVE-2021-41831 and CVE-2021-25634; and a content manipulation with certificate validation attack issue, tracked as CVE-2021-41832 and CVE-2021-25635 — to enable alteration of signed ODF documents' timestamps, as well as modification of documents' contents and the signing of documents with untrusted signatures.
Maintainers of each office productivity suite have resolved the issues in OpenOffice version 4.1.11 and LibreOffice versions 7.0.5, 7.0.6, 7.1.1 and 7.1.2. Users have been urged to promptly update to the latest versions to avert risks.
