PDFreactor 10 Maintenance Release 10.1.10722 now available – Important Security Update

A maintenance release for PDFreactor 10 is now available. This release addresses security vulnerabilities that affect all PDFreactor versions prior to this one.

What are the vulnerabilities?

PDFreactor releases prior to 10.1.10722 are vulnerable to server-side request forgery (SSRF; CVE-2019-12153: by Sean Melia of Aon’s Cyber Solutions) and to attacks using XML external entity processing (XXE; CVE-2019-12154: by Sean Melia of Aon’s Cyber Solutions).

How can these vulnerabilities be exploited?

PDFreactor works under the assumption that all content and data (HTML, CSS, JavaScript etc.) it processes comes from trusted sources. However, this may not always be the case depending on your integration. If attackers are able to inject custom HTML, CSS or JavaScript into the content which is processed by PDFreactor, they may be able to gain access to files on the PDFreactor server or private network resources.

XXE can be exploited by specifying external entities in XML files in such a way that they load private files or network resources which is essentially an SSRF attack. In addition, malicious XML can be used for a denial-of-service (DoS) attack via the so called “billion laughs attack”.

How are these vulnerabilities addressed by this release?

PDFreactor now features security settings which can prevent these exploits:

By default PDFreactor no longer loads resources from the server’s file system. There are certain exceptions to this general security rule, so please refer to the chapter “Security” in the PDFreactor manual for a more detailed explanation. This protects against SSRF. 

When converting XML documents, PDFreactor will no longer automatically load external XML parser resources, such as DTDs, entities or XIncludes. This protects against DoS attacks using XXE.

Important! Before updating, please refer to the migration guide for more information as these changes might impact the functionality of existing integrations.

Please note that depending on the integration and usage scenario, the security settings of PDFreactor need to be configured appropriately. Please refer to the chapter “Security” in the PDFreactor manual. Also, depending on the integration and usage scenario it might be advisable to configure appropriate outbound firewall rules on the server that runs PDFreactor, to prevent access to internal network resources.

This release also includes the following changes:

  • JREs packaged with installers or containers have been updated to OpenJDK 12.0.1. (#7686)
  • Footnotes are no longer horizontally misaligned in rare cases. (#7588)
  • Images with a max-width value no longer lead to content overflowing paragraph. (#7595)
  • Documents containing large amounts of SVGs no longer cause non-terminating conversions in rare cases. (#7685)
  • JavaScript inserting ‘div’ elements into ‘span’ elements no longer causes exceptions in specific cases. (#7702)
  • Certain cases of single-line row flex containers no longer cause non-terminating layouts. (#7699)
  • JavaScript processing is no longer aborted when BoxDescription arrays are accessed with invalid indices. (#7692)
  • JavaScript processing is no longer aborted when BoxDescription arrays are accessed with invalid indices. (#7692)

For a full list of changes and corrections see the changelog.

Important release notes und upgrading information can be found in the readme.

The PDFreactor 10 installation packages are available for download in the download area.