CVE-2021-27807
Denial of Service (DoS) vulnerability in pdfbox (Maven)
What is CVE-2021-27807 About?
This is a Denial of Service vulnerability in Apache PDFBox, where a specially crafted PDF file can trigger an infinite loop during loading. This leads to application unresponsiveness and service unavailability. Exploitation is relatively easy by providing a malicious PDF file.
Affected Software
Technical Details
The Apache PDFBox library, specifically versions 2.0.22 and prior 2.0.x versions, is vulnerable to an infinite loop condition. A carefully crafted PDF file can exploit specific vulnerabilities in its parsing logic. This could involve maliciously designed PDF objects, cross-references, or stream structures that, when processed by PDFBox, cause an internal loop to never terminate. For example, malformed references within the PDF structure could lead to a cyclic dependency or an iterator that fails to advance past certain conditions. This continuous looping consumes all available CPU resources, causing the application using PDFBox to hang indefinitely and leading to a denial of service.
What is the Impact of CVE-2021-27807?
Successful exploitation may allow attackers to cause the application processing PDF files to enter an infinite loop, leading to a denial of service.
What is the Exploitability of CVE-2021-27807?
Exploitation is relatively easy, requiring only the ability to supply a malicious PDF file to an application that uses Apache PDFBox. No authentication is required if the application accepts untrusted PDF files. Privileges depend on the context of the application processing the PDF, but no elevated privileges are typically needed for the attacker. The attack can be remote, as a user could upload or provide a link to the malicious PDF. The primary condition is that the application must process untrusted PDF documents. Risk factors include publicly accessible services that process user-supplied PDF content without robust validation and timeout mechanisms.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-27807?
Available Upgrade Options
- org.apache.pdfbox:pdfbox
- >2.0.0, <2.0.23 → Upgrade to 2.0.23
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.apache.org/thread.html/rc69140d894c6a9c67a8097a25656cce59b46a5620c354ceba10543c3%40%3Cnotifications.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/r4cbc3f6981cd0a1a482531df9d44e4c42a7f63342a7ba78b7bff8a1b@%3Cnotifications.james.apache.org%3E
- https://lists.apache.org/thread.html/r54594251369e14c185da9662a5340a52afbbdf75d61c9c3a69c8f2e8%40%3Cdev.pdfbox.apache.org%3E
- http://www.openwall.com/lists/oss-security/2021/03/19/9
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PT72QOFDXLJ7PLTN66EMG5EHPTE7TFZ
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2AVLKAHFMPH72TTP25INPZPGX5FODK3H/
- https://lists.apache.org/thread.html/r9ffe179385637b0b5cbdabd0246118005b4b8232909d2d14cd68ccd3@%3Ccommits.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/r6e067a6d83ccb6892d0ff867bd216704f21fb0b6a854dea34be04f12@%3Cnotifications.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/r5c8e2125d18af184c80f7a986fbe47eaf0d30457cd450133adc235ac@%3Ccommits.ofbiz.apache.org%3E
What are Similar Vulnerabilities to CVE-2021-27807?
Similar Vulnerabilities: CVE-2021-31811 , CVE-2020-13956 , CVE-2022-38706 , CVE-2023-38604 , CVE-2022-31128
