OpenOffice- and LibreOffice Vulnerability CVE-2018-16858

[German]There is a micro patch for the 0-day vulnerability CVE-2018-16858 in OpenOffice. And for the vulnerability (patched in LibreOffice by an update) there is a Proof of Concept (PoC).


LibreOffice RCE vulnerability CVE-2018-16858

In LibreOffice (and OpenOffice) there is a remote code execution vulnerability CVE-2018-16858, which I had briefly addressed in the blog post Remote Code Execution vulnerability in LibreOffice. This vulnerability has been fixed in LibreOffice 6.0.7/6.1.3 as you can read in this LibreOffice document. Now John Lambert from Microsoft Threat Intelligence Center points out a Proof of Concept (PcC) to exploit the vulnerability (in LibreOffice and OpenOffice)

The PoC was developed by Alex Inführ, a blogger from Austria. He also discovered the vulnerability and now published the approach for a PoC in the article Libreoffice (CVE-2018-16858) – Remote Code Execution via Macro/Event execution. If you use LibreOffice, you should update to version 6.0.7/6.1.3 as soon as possible.

A OpenOffice Micro-Patch for CVE-2018-16858

All versions of OpenOffice/LibreOffice have the CVE-2018-16858 vulnerability up to version 6.0.6/ The vulnerability has received a CVSS3 base score of 7.8 (moderate) from Red Hat. While the developers in LibreOffice have closed it in versions 6.0.7/6.1.3, the OpenOffice developers do not lag behind with updates. 


For the Windows version of OpenOffice, 0patch has released a mico patch to close the vulnerability (see tweet above). Bleeping Computer has published some information here.


This entry was posted in Office, Security and tagged , , . Bookmark the permalink.

2 Responses to OpenOffice- and LibreOffice Vulnerability CVE-2018-16858

  1. Nathan says:

    Fake news: OpenOffice is not impacted by this PoC. Did you try this before writing these bullsh*ts?

    • guenni says:

      Congrats – you own the jack pot ;-) Read the linked blog post about Libreoffice (CVE-2018-16858) from Alex:

      18.10.2018 – reported the bug
      30.10.2018 – bug was fixed and added to daily builds
      14.11.2018 – CVE-2018-16858 was assigned by Redhat – got told that 31.01.2019 is the date I can publish
      01.02.2019 – Blogpost published

Leave a Reply

Your email address will not be published. Required fields are marked *