A maintenance release for PDFreactor 10 is now available. This release addresses security vulnerabilities that affect all PDFreactor versions prior to this one.
What are the vulnerabilities?
PDFreactor releases prior to 10.1.10722 are vulnerable to server-side request forgery (SSRF; CVE-2019-12153: by Sean Melia of Aon’s Cyber Solutions) and to attacks using XML external entity processing (XXE; CVE-2019-12154: by Sean Melia of Aon’s Cyber Solutions).
How can these vulnerabilities be exploited?
XXE can be exploited by specifying external entities in XML files in such a way that they load private files or network resources which is essentially an SSRF attack. In addition, malicious XML can be used for a denial-of-service (DoS) attack via the so called “billion laughs attack”.
How are these vulnerabilities addressed by this release?
PDFreactor now features security settings which can prevent these exploits:
By default PDFreactor no longer loads resources from the server’s file system. There are certain exceptions to this general security rule, so please refer to the chapter “Security” in the PDFreactor manual for a more detailed explanation. This protects against SSRF.
When converting XML documents, PDFreactor will no longer automatically load external XML parser resources, such as DTDs, entities or XIncludes. This protects against DoS attacks using XXE.
Please note that depending on the integration and usage scenario, the security settings of PDFreactor need to be configured appropriately. Please refer to the chapter “Security” in the PDFreactor manual. Also, depending on the integration and usage scenario it might be advisable to configure appropriate outbound firewall rules on the server that runs PDFreactor, to prevent access to internal network resources.