You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@pdfbox.apache.org by Andreas Lehmkuehler <le...@apache.org> on 2016/05/27 06:03:05 UTC
[CVE-2016-2175] Apache PDFBox XML External Entity vulnerability
CVE-2016-2175: Apache PDFBox XML External Entity vulnerability
Severity: Important
Vendor:
The Apache Software Foundation
Versions Affected:
Apache PDFBox 1.8.0 to 1.8.11
Apache PDFBox 2.0.0
Earlier, unsupported Apache PDFBox versions may be affected as well
Description:
Apache PDFBox parses different XML data within PDF files such as XMP and the
initialization of the XML parsers did not protect against XML External Entity
(XXE) vulnerabilities. According to www.owasp.org [1]: "This attack may lead to
the disclosure of confidential data, denial of service, server side request
forgery, port scanning from the perspective of the machine where the parser is
located, and other system impacts."
Mitigation:
Upgrade to Apache PDFBox 1.8.12 respectively 2.0.1
Credit:
This issue was discovered by Arthur Khashaev (https://khashaev.ru), Seulgi Kim,
Mesut Timur and Microsoft Vulnerability Research.
[1] https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@pdfbox.apache.org
For additional commands, e-mail: users-help@pdfbox.apache.org
Re: [CVE-2016-2175] Apache PDFBox XML External Entity vulnerability
Posted by Andreas Lehmkuehler <an...@lehmi.de>.
Am 07.06.2016 um 11:46 schrieb Maruan Sahyoun:
> Hi,
>
>> Am 07.06.2016 um 11:42 schrieb Andreas Lehmk�hler <an...@lehmi.de>:
>>
>> Hi,
>>
>>> Maruan Sahyoun <sa...@fileaffairs.de> hat am 6. Juni 2016 um 12:40
>>> geschrieben:
>>>
>>>
>>> Hi,
>>>
>>>> Am 06.06.2016 um 11:41 schrieb Simon Steiner <si...@gmail.com>:
>>>>
>>>> Hi,
>>>>
>>>> Should this be on the pdfbox homepage.
>>>
>>> I'll let Andreas decide on that
>> What should we add, just a news posting or adding a new security section as
>> other projects like Tomcat?
>
> a new post schould do.
Done
BR
Andreas
>
>>
>> BR
>> Andreas
>>>> The homepage has http://pdfbox.apache.org/download.cgi but its not
>>>> clickable.
>>>
>>> done - thanks for letting us know.
>>>
>>> Maruan
>>>
>>>>
>>>> Thanks
>>>>
>>>> -----Original Message-----
>>>> From: Andreas Lehmkuehler [mailto:lehmi@apache.org]
>>>> Sent: 27 May 2016 07:03
>>>> To: announce@apache.org; dev@pdfbox.apache.org; users@pdfbox.apache.org;
>>>> security@apache.org; oss-security@lists.openwall.com;
>>>> bugtraq@securityfocus.com
>>>> Subject: [CVE-2016-2175] Apache PDFBox XML External Entity vulnerability
>>>>
>>>> CVE-2016-2175: Apache PDFBox XML External Entity vulnerability
>>>>
>>>> Severity: Important
>>>>
>>>>
>>>> Vendor:
>>>> The Apache Software Foundation
>>>>
>>>> Versions Affected:
>>>> Apache PDFBox 1.8.0 to 1.8.11
>>>> Apache PDFBox 2.0.0
>>>> Earlier, unsupported Apache PDFBox versions may be affected as well
>>>>
>>>> Description:
>>>> Apache PDFBox parses different XML data within PDF files such as XMP and the
>>>> initialization of the XML parsers did not protect against XML External
>>>> Entity
>>>> (XXE) vulnerabilities. According to www.owasp.org [1]: "This attack may lead
>>>> to the disclosure of confidential data, denial of service, server side
>>>> request forgery, port scanning from the perspective of the machine where the
>>>> parser is located, and other system impacts."
>>>>
>>>>
>>>> Mitigation:
>>>> Upgrade to Apache PDFBox 1.8.12 respectively 2.0.1
>>>>
>>>> Credit:
>>>> This issue was discovered by Arthur Khashaev (https://khashaev.ru), Seulgi
>>>> Kim, Mesut Timur and Microsoft Vulnerability Research.
>>>>
>>>> [1] https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: dev-unsubscribe@pdfbox.apache.org For additional
>>>> commands, e-mail: dev-help@pdfbox.apache.org
>>>>
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: dev-unsubscribe@pdfbox.apache.org
>>>> For additional commands, e-mail: dev-help@pdfbox.apache.org
>>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: dev-unsubscribe@pdfbox.apache.org
>>> For additional commands, e-mail: dev-help@pdfbox.apache.org
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@pdfbox.apache.org
>> For additional commands, e-mail: dev-help@pdfbox.apache.org
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@pdfbox.apache.org
> For additional commands, e-mail: dev-help@pdfbox.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@pdfbox.apache.org
For additional commands, e-mail: dev-help@pdfbox.apache.org
Re: [CVE-2016-2175] Apache PDFBox XML External Entity vulnerability
Posted by Maruan Sahyoun <sa...@fileaffairs.de>.
Hi,
> Am 07.06.2016 um 11:42 schrieb Andreas Lehmkühler <an...@lehmi.de>:
>
> Hi,
>
>> Maruan Sahyoun <sa...@fileaffairs.de> hat am 6. Juni 2016 um 12:40
>> geschrieben:
>>
>>
>> Hi,
>>
>>> Am 06.06.2016 um 11:41 schrieb Simon Steiner <si...@gmail.com>:
>>>
>>> Hi,
>>>
>>> Should this be on the pdfbox homepage.
>>
>> I'll let Andreas decide on that
> What should we add, just a news posting or adding a new security section as
> other projects like Tomcat?
a new post schould do.
>
> BR
> Andreas
>>> The homepage has http://pdfbox.apache.org/download.cgi but its not
>>> clickable.
>>
>> done - thanks for letting us know.
>>
>> Maruan
>>
>>>
>>> Thanks
>>>
>>> -----Original Message-----
>>> From: Andreas Lehmkuehler [mailto:lehmi@apache.org]
>>> Sent: 27 May 2016 07:03
>>> To: announce@apache.org; dev@pdfbox.apache.org; users@pdfbox.apache.org;
>>> security@apache.org; oss-security@lists.openwall.com;
>>> bugtraq@securityfocus.com
>>> Subject: [CVE-2016-2175] Apache PDFBox XML External Entity vulnerability
>>>
>>> CVE-2016-2175: Apache PDFBox XML External Entity vulnerability
>>>
>>> Severity: Important
>>>
>>>
>>> Vendor:
>>> The Apache Software Foundation
>>>
>>> Versions Affected:
>>> Apache PDFBox 1.8.0 to 1.8.11
>>> Apache PDFBox 2.0.0
>>> Earlier, unsupported Apache PDFBox versions may be affected as well
>>>
>>> Description:
>>> Apache PDFBox parses different XML data within PDF files such as XMP and the
>>> initialization of the XML parsers did not protect against XML External
>>> Entity
>>> (XXE) vulnerabilities. According to www.owasp.org [1]: "This attack may lead
>>> to the disclosure of confidential data, denial of service, server side
>>> request forgery, port scanning from the perspective of the machine where the
>>> parser is located, and other system impacts."
>>>
>>>
>>> Mitigation:
>>> Upgrade to Apache PDFBox 1.8.12 respectively 2.0.1
>>>
>>> Credit:
>>> This issue was discovered by Arthur Khashaev (https://khashaev.ru), Seulgi
>>> Kim, Mesut Timur and Microsoft Vulnerability Research.
>>>
>>> [1] https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: dev-unsubscribe@pdfbox.apache.org For additional
>>> commands, e-mail: dev-help@pdfbox.apache.org
>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: dev-unsubscribe@pdfbox.apache.org
>>> For additional commands, e-mail: dev-help@pdfbox.apache.org
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@pdfbox.apache.org
>> For additional commands, e-mail: dev-help@pdfbox.apache.org
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@pdfbox.apache.org
> For additional commands, e-mail: dev-help@pdfbox.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@pdfbox.apache.org
For additional commands, e-mail: dev-help@pdfbox.apache.org
Re: [CVE-2016-2175] Apache PDFBox XML External Entity vulnerability
Posted by Andreas Lehmkühler <an...@lehmi.de>.
Hi,
> Maruan Sahyoun <sa...@fileaffairs.de> hat am 6. Juni 2016 um 12:40
> geschrieben:
>
>
> Hi,
>
> > Am 06.06.2016 um 11:41 schrieb Simon Steiner <si...@gmail.com>:
> >
> > Hi,
> >
> > Should this be on the pdfbox homepage.
>
> I'll let Andreas decide on that
What should we add, just a news posting or adding a new security section as
other projects like Tomcat?
BR
Andreas
> > The homepage has http://pdfbox.apache.org/download.cgi but its not
> > clickable.
>
> done - thanks for letting us know.
>
> Maruan
>
> >
> > Thanks
> >
> > -----Original Message-----
> > From: Andreas Lehmkuehler [mailto:lehmi@apache.org]
> > Sent: 27 May 2016 07:03
> > To: announce@apache.org; dev@pdfbox.apache.org; users@pdfbox.apache.org;
> > security@apache.org; oss-security@lists.openwall.com;
> > bugtraq@securityfocus.com
> > Subject: [CVE-2016-2175] Apache PDFBox XML External Entity vulnerability
> >
> > CVE-2016-2175: Apache PDFBox XML External Entity vulnerability
> >
> > Severity: Important
> >
> >
> > Vendor:
> > The Apache Software Foundation
> >
> > Versions Affected:
> > Apache PDFBox 1.8.0 to 1.8.11
> > Apache PDFBox 2.0.0
> > Earlier, unsupported Apache PDFBox versions may be affected as well
> >
> > Description:
> > Apache PDFBox parses different XML data within PDF files such as XMP and the
> > initialization of the XML parsers did not protect against XML External
> > Entity
> > (XXE) vulnerabilities. According to www.owasp.org [1]: "This attack may lead
> > to the disclosure of confidential data, denial of service, server side
> > request forgery, port scanning from the perspective of the machine where the
> > parser is located, and other system impacts."
> >
> >
> > Mitigation:
> > Upgrade to Apache PDFBox 1.8.12 respectively 2.0.1
> >
> > Credit:
> > This issue was discovered by Arthur Khashaev (https://khashaev.ru), Seulgi
> > Kim, Mesut Timur and Microsoft Vulnerability Research.
> >
> > [1] https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@pdfbox.apache.org For additional
> > commands, e-mail: dev-help@pdfbox.apache.org
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@pdfbox.apache.org
> > For additional commands, e-mail: dev-help@pdfbox.apache.org
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@pdfbox.apache.org
> For additional commands, e-mail: dev-help@pdfbox.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@pdfbox.apache.org
For additional commands, e-mail: dev-help@pdfbox.apache.org
Re: [CVE-2016-2175] Apache PDFBox XML External Entity vulnerability
Posted by Maruan Sahyoun <sa...@fileaffairs.de>.
Hi,
> Am 06.06.2016 um 11:41 schrieb Simon Steiner <si...@gmail.com>:
>
> Hi,
>
> Should this be on the pdfbox homepage.
I'll let Andreas decide on that
> The homepage has http://pdfbox.apache.org/download.cgi but its not clickable.
done - thanks for letting us know.
Maruan
>
> Thanks
>
> -----Original Message-----
> From: Andreas Lehmkuehler [mailto:lehmi@apache.org]
> Sent: 27 May 2016 07:03
> To: announce@apache.org; dev@pdfbox.apache.org; users@pdfbox.apache.org; security@apache.org; oss-security@lists.openwall.com; bugtraq@securityfocus.com
> Subject: [CVE-2016-2175] Apache PDFBox XML External Entity vulnerability
>
> CVE-2016-2175: Apache PDFBox XML External Entity vulnerability
>
> Severity: Important
>
>
> Vendor:
> The Apache Software Foundation
>
> Versions Affected:
> Apache PDFBox 1.8.0 to 1.8.11
> Apache PDFBox 2.0.0
> Earlier, unsupported Apache PDFBox versions may be affected as well
>
> Description:
> Apache PDFBox parses different XML data within PDF files such as XMP and the initialization of the XML parsers did not protect against XML External Entity
> (XXE) vulnerabilities. According to www.owasp.org [1]: "This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts."
>
>
> Mitigation:
> Upgrade to Apache PDFBox 1.8.12 respectively 2.0.1
>
> Credit:
> This issue was discovered by Arthur Khashaev (https://khashaev.ru), Seulgi Kim, Mesut Timur and Microsoft Vulnerability Research.
>
> [1] https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@pdfbox.apache.org For additional commands, e-mail: dev-help@pdfbox.apache.org
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@pdfbox.apache.org
> For additional commands, e-mail: dev-help@pdfbox.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@pdfbox.apache.org
For additional commands, e-mail: dev-help@pdfbox.apache.org
RE: [CVE-2016-2175] Apache PDFBox XML External Entity vulnerability
Posted by Simon Steiner <si...@gmail.com>.
Hi,
Should this be on the pdfbox homepage.
The homepage has http://pdfbox.apache.org/download.cgi but its not clickable.
Thanks
-----Original Message-----
From: Andreas Lehmkuehler [mailto:lehmi@apache.org]
Sent: 27 May 2016 07:03
To: announce@apache.org; dev@pdfbox.apache.org; users@pdfbox.apache.org; security@apache.org; oss-security@lists.openwall.com; bugtraq@securityfocus.com
Subject: [CVE-2016-2175] Apache PDFBox XML External Entity vulnerability
CVE-2016-2175: Apache PDFBox XML External Entity vulnerability
Severity: Important
Vendor:
The Apache Software Foundation
Versions Affected:
Apache PDFBox 1.8.0 to 1.8.11
Apache PDFBox 2.0.0
Earlier, unsupported Apache PDFBox versions may be affected as well
Description:
Apache PDFBox parses different XML data within PDF files such as XMP and the initialization of the XML parsers did not protect against XML External Entity
(XXE) vulnerabilities. According to www.owasp.org [1]: "This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts."
Mitigation:
Upgrade to Apache PDFBox 1.8.12 respectively 2.0.1
Credit:
This issue was discovered by Arthur Khashaev (https://khashaev.ru), Seulgi Kim, Mesut Timur and Microsoft Vulnerability Research.
[1] https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@pdfbox.apache.org For additional commands, e-mail: dev-help@pdfbox.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@pdfbox.apache.org
For additional commands, e-mail: dev-help@pdfbox.apache.org