Detections
Analytics

TencentOS Server 3: libreoffice (TSSA-2022:0242)

high Nessus Plugin ID 238895

Synopsis

The remote TencentOS Server 3 host is missing one or more security updates.

Description

The version of Tencent Linux installed on the remote TencentOS Server 3 host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the TSSA-2022:0242 advisory.

 Package updates are available for TencentOS Server 3 that fix the following vulnerabilities:

 CVE-2021-25633:
 LibreOffice supports digital signatures of ODF documents and macros within documents, presenting visual aids that no alteration of the document occurred since the last signing and that the signature is valid.
 An Improper Certificate Validation vulnerability in LibreOffice allowed an attacker to create a digitally signed ODF document, by manipulating the documentsignatures.xml or macrosignatures.xml stream within the document to combine multiple certificate data, which when opened caused LibreOffice to display a validly signed indicator but whose content was unrelated to the signature shown. This issue affects: The Document Foundation LibreOffice 7-0 versions prior to 7.0.6; 7-1 versions prior to 7.1.2.

 CVE-2021-25634:
 LibreOffice supports digital signatures of ODF documents and macros within documents, presenting visual aids that no alteration of the document occurred since the last signing and that the signature is valid.
 An Improper Certificate Validation vulnerability in LibreOffice allowed an attacker to modify a digitally signed ODF document to insert an additional signing time timestamp which LibreOffice would incorrectly present as a valid signature signed at the bogus signing time. This issue affects: The Document Foundation LibreOffice 7-0 versions prior to 7.0.6; 7-1 versions prior to 7.1.2.

 CVE-2021-25635:
 It is possible for an attacker to manipulate documents to appear to be signed by a trusted source. All versions of Apache OpenOffice up to 4.1.10 are affected. Users are advised to update to version 4.1.11.
 See CVE-2021-25635 for the LibreOffice advisory.

 CVE-2021-25636:
 LibreOffice supports digital signatures of ODF documents and macros within documents, presenting visual aids that no alteration of the document occurred since the last signing and that the signature is valid.
 An Improper Certificate Validation vulnerability in LibreOffice allowed an attacker to create a digitally signed ODF document, by manipulating the documentsignatures.xml or macrosignatures.xml stream within the document to contain both X509Data and KeyValue children of the KeyInfo tag, which when opened caused LibreOffice to verify using the KeyValue but to report verification with the unrelated X509Data value.
 This issue affects: The Document Foundation LibreOffice 7.2 versions prior to 7.2.5.

Tenable has extracted the preceding description block directly from the Tencent Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://mirrors.tencent.com/tlinux/errata/tssa-20220242.xml

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25633

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25634

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25635

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25636

Plugin Details

Severity: High

ID: 238895

File Name: tencentos_TSSA_2022_0242.nasl

Version: 1.1

Type: local

Published: 6/16/2025

Updated: 6/16/2025

Supported Sensors: Nessus

Vulnerability Information

CPE: cpe:/o:tencent:tencentos_server:3, p-cpe:/a:tencent:tencentos_server:libreoffice

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/etc/os-release, Host/TencentOS/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 12/16/2022

Vulnerability Publication Date: 12/16/2022