#VU15176 Infinite loop in PDFBox - CVE-2018-11797

Cybersecurity Help s.r.o.

Published: 2018-10-08 | Updated: 2018-10-09

Vulnerability identifier: #VU15176

Vulnerability risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2018-11797

CWE-ID: CWE-835

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
PDFBox
Universal components / Libraries / Libraries used by multiple products

Vendor: Apache Foundation

Description

The vulnerability vulnerability allows an unauthenticated, remote attacker to cause a denial of service (DoS) condition on a target system.

The vulnerability exists in the Apache PDFBox parser due to improper processing of PDF files when parsing the page tree. A remote attacker can trick the victim into opening a PDF file that submits malicious input to the targeted system, trigger an infinite loop condition, which could lead to an out-of-memory exception and result in a DoS condition.

Mitigation
The vulnerability has been fixed in the versions 1.8.16 and 2.0.12.

Vulnerable software versions

PDFBox: 1.8.0 - 2.0.11

External links
https://pdfbox.apache.org/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Intelligent Operations Center (IOC)

Multiple vulnerabilities in Oracle Retail Xstore Point of Service

Fedora 29 update for pdfbox

Fedora 30 update for pdfbox

Fedora 31 update for pdfbox

OpenSUSE Linux update for apache-pdfbox

Denial of service in Apache PDFBox