Bug 1340396 (CVE-2016-2175) - CVE-2016-2175 pdfbox: XML External Entity vulnerability
Summary: CVE-2016-2175 pdfbox: XML External Entity vulnerability
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2016-2175
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1340397 1387353 1387354
Blocks: 1340390 1398009 1412839 1415286
TreeView+ depends on / blocked
 
Reported: 2016-05-27 09:32 UTC by Andrej Nemec
Modified: 2020-12-15 15:15 UTC (History)
34 users (show)

Fixed In Version: pdfbox 1.8.12, pdfbox 2.0.1
Doc Type: Bug Fix
Doc Text:
It was found that the parsing of XMP and other XML formats in PDF by Apache PDFBox would expand entity references. A remote, unauthenticated attacker could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.
Clone Of:
Environment:
Last Closed: 2019-06-08 02:53:02 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:0179 0 normal SHIPPED_LIVE Moderate: Red Hat JBoss Fuse/A-MQ 6.3 security and bug fix update 2017-01-20 01:21:07 UTC
Red Hat Product Errata RHSA-2017:0248 0 normal SHIPPED_LIVE Moderate: Red Hat JBoss BRMS security update 2017-02-03 01:33:45 UTC
Red Hat Product Errata RHSA-2017:0249 0 normal SHIPPED_LIVE Moderate: Red Hat JBoss BPM Suite security update 2017-02-03 01:33:32 UTC
Red Hat Product Errata RHSA-2017:0272 0 normal SHIPPED_LIVE Moderate: Red Hat JBoss Data Virtualization security and bug fix update 2017-02-14 21:41:53 UTC

Description Andrej Nemec 2016-05-27 09:32:17 UTC 
Apache PDFBox parses different XML data within PDF files such as XMP and the initialization of the XML parsers did not protect against XML External Entity (XXE) vulnerabilities.

References:

http://seclists.org/oss-sec/2016/q2/419
Comment 1 Andrej Nemec 2016-05-27 09:33:14 UTC 
Created pdfbox tracking bugs for this issue:

Affects: fedora-all [bug 1340397]
Comment 2 Fedora Update System 2016-07-12 02:24:02 UTC 
pdfbox-1.8.8-6.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 3 Fedora Update System 2016-07-18 18:28:47 UTC 
pdfbox-1.8.11-2.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
Comment 7 errata-xmlrpc 2017-01-19 20:21:21 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Fuse/A-MQ 6.3 Rollup 1

Via RHSA-2017:0179 https://rhn.redhat.com/errata/RHSA-2017-0179.html
Comment 8 errata-xmlrpc 2017-02-02 20:42:55 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss BPM Suite 6.4.1

Via RHSA-2017:0249 https://rhn.redhat.com/errata/RHSA-2017-0249.html
Comment 9 errata-xmlrpc 2017-02-02 20:43:51 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss BRMS 6.4.1

Via RHSA-2017:0248 https://rhn.redhat.com/errata/RHSA-2017-0248.html
Comment 10 errata-xmlrpc 2017-02-14 16:42:17 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Data Virtualization 6.3 Update 4

Via RHSA-2017:0272 https://rhn.redhat.com/errata/RHSA-2017-0272.html
Note You need to log in before you can comment on or make changes to this bug.