CVE-2021-31811
Denial of Service (DoS) vulnerability in pdfbox (Maven)
What is CVE-2021-31811 About?
This is a Denial of Service vulnerability in Apache PDFBox, where a specially crafted PDF file can trigger an OutOfMemory-Exception during loading. This leads to application crashes and service unavailability. Exploitation is relatively easy by providing a malicious PDF file.
Affected Software
- org.apache.pdfbox:pdfbox
- >2.0.0, <2.0.24
- org.apache.pdfbox:pdfbox-parent
- >2.0.0, <2.0.24
Technical Details
The Apache PDFBox library, specifically versions 2.0.23 and prior 2.0.x versions, is vulnerable to a Denial of Service (DoS) condition. A carefully crafted PDF file can exploit parsing inefficiencies or vulnerabilities related to memory allocation when loading the file. This could involve, for instance, maliciously structured PDF objects, deeply nested data structures, or excessively large metadata blocks designed to consume an inordinate amount of memory during the parsing and rendering process. When such a PDF is processed, it exhausts the available memory, triggering an OutOfMemory-Exception and causing the application using PDFBox to crash or become unresponsive, resulting in a denial of service.
What is the Impact of CVE-2021-31811?
Successful exploitation may allow attackers to crash the application processing PDF files, leading to a denial of service.
What is the Exploitability of CVE-2021-31811?
Exploitation is relatively easy, requiring only the ability to supply a malicious PDF file to an application that uses Apache PDFBox to process documents. No authentication is required if the application accepts untrusted PDF files. Privileges depend on the context of the application processing the PDF, but typically no elevated privileges are needed for the attacker. The attack can be remote, as a user could upload or provide a link to the malicious PDF. The primary condition is that the application must process untrusted PDF documents. Risk factors include publicly accessible services that process user-supplied PDF content without robust validation or resource limits.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-31811?
Available Upgrade Options
- org.apache.pdfbox:pdfbox
- >2.0.0, <2.0.24 → Upgrade to 2.0.24
- org.apache.pdfbox:pdfbox-parent
- >2.0.0, <2.0.24 → Upgrade to 2.0.24
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://lists.apache.org/thread.html/rf937c2236e6c79cdb99f76a70690dd345e53dbe0707cb506a202e43e@%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/r179cc3b6822c167702ab35fe36093d5da4c99af44238c8a754c6860f@%3Ccommits.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/re0cacd3fb337cdf8469853913ed2b4ddd8f8bfc52ff0ddbe61c1dfba@%3Ccommits.ofbiz.apache.org%3E
- http://www.openwall.com/lists/oss-security/2021/06/12/2
- https://lists.apache.org/thread.html/r143fd8445e0e778f4a85187bd79438630b96b8040e9401751fdb8aea@%3Ccommits.ofbiz.apache.org%3E
- https://nvd.nist.gov/vuln/detail/CVE-2021-31811
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://lists.apache.org/thread.html/r179cc3b6822c167702ab35fe36093d5da4c99af44238c8a754c6860f%40%3Ccommits.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/rfe26bcaba564deb505c32711ba68df7ec589797dcd96ff3389a8aaba%40%3Cnotifications.ofbiz.apache.org%3E
What are Similar Vulnerabilities to CVE-2021-31811?
Similar Vulnerabilities: CVE-2020-13956 , CVE-2022-38706 , CVE-2023-38604 , CVE-2022-31128 , CVE-2022-23746
