CVE-2021-27906
OutOfMemory-Exception vulnerability in pdfbox (Maven)
What is CVE-2021-27906 About?
This vulnerability affects Apache PDFBox versions 2.0.22 and prior 2.0.x versions, where a specially crafted PDF file can trigger an OutOfMemory-Exception during loading. This leads to a Denial of Service, making the system unavailable. Exploitation requires providing a malicious PDF, which can be relatively easy.
Affected Software
Technical Details
The vulnerability in Apache PDFBox arises when loading a carefully crafted PDF file. The malformed structure of this PDF file causes the application to consume an excessive amount of memory during processing. This disproportionate memory allocation continues until system resources are exhausted, leading to an OutOfMemory-Exception. This exception prevents the application from functioning correctly, resulting in a Denial of Service (DoS) condition.
What is the Impact of CVE-2021-27906?
Successful exploitation may allow attackers to cause the application to crash or become unresponsive due to resource exhaustion, leading to a Denial of Service.
What is the Exploitability of CVE-2021-27906?
Exploitation of this vulnerability involves providing a specially crafted PDF file to an application that uses the vulnerable Apache PDFBox library. This typically requires user interaction, such as opening a malicious PDF, or an automated process attempting to parse such a file. The complexity is relatively low as it primarily relies on file content. There are no explicit authentication or privilege requirements beyond the ability to submit the malicious PDF for processing. Local or remote exploitation is possible depending on how the application processes PDF files (e.g., local file open or remote file upload to a server). Risk factors include applications that automatically process untrusted PDF files.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-27906?
Available Upgrade Options
- org.apache.pdfbox:pdfbox
- >2.0.0, <2.0.23 → Upgrade to 2.0.23
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.apache.org/thread.html/rc69140d894c6a9c67a8097a25656cce59b46a5620c354ceba10543c3%40%3Cnotifications.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/r4cbc3f6981cd0a1a482531df9d44e4c42a7f63342a7ba78b7bff8a1b@%3Cnotifications.james.apache.org%3E
- https://lists.apache.org/thread.html/r54594251369e14c185da9662a5340a52afbbdf75d61c9c3a69c8f2e8%40%3Cdev.pdfbox.apache.org%3E
- https://lists.apache.org/thread.html/rf35026148ccc0e1af133501c0d003d052883fcc65107b3ff5d3b61cd@%3Cusers.pdfbox.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PT72QOFDXLJ7PLTN66EMG5EHPTE7TFZ
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://lists.apache.org/thread.html/r64982b768c8a2220b07aaf813bd099a9863de0d13eb212fd4efe208f@%3Cusers.pdfbox.apache.org%3E
- https://github.com/apache/pdfbox/commit/8c47be1011c11dc47300faecffd8ab32fba3646f
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2AVLKAHFMPH72TTP25INPZPGX5FODK3H/
- https://lists.apache.org/thread.html/r9ffe179385637b0b5cbdabd0246118005b4b8232909d2d14cd68ccd3@%3Ccommits.ofbiz.apache.org%3E
What are Similar Vulnerabilities to CVE-2021-27906?
Similar Vulnerabilities: CVE-2023-42469 , CVE-2023-38069 , CVE-2022-4504 , CVE-2022-38549 , CVE-2021-39230
