Important PDFreactor Security Advisory

A maintenance release for PDFreactor 10 is now available. This release addresses security vulnerabilities that affect all PDFreactor versions prior to this one.

What are the vulnerabilities?

PDFreactor releases prior to 10.1.10722 are vulnerable to server-side request forgery (SSRF; CVE-2019-12153: by Sean Melia of Aon’s Cyber Solutions) and to attacks using XML external entity processing (XXE; CVE-2019-12154: by Sean Melia of Aon’s Cyber Solutions).

How can these vulnerabilities be exploited?

PDFreactor works under the assumption that all content and data (HTML, CSS, JavaScript etc.) it processes comes from trusted sources. However, this may not always be the case depending on your integration. If attackers are able to inject custom HTML, CSS or JavaScript into the content which is processed by PDFreactor, they may be able to gain access to files on the PDFreactor server or private network resources.

XXE can be exploited by specifying external entities in XML files in such a way that they load private files or network resources which is essentially an SSRF attack. In addition, malicious XML can be used for a denial-of-service (DoS) attack via the so called “billion laughs attack”.

How are these vulnerabilities addressed by this release?

PDFreactor now features security settings which can prevent these exploits:

By default PDFreactor no longer loads resources from the server’s file system. There are certain exceptions to this general security rule, so please refer to the chapter “Security” in the PDFreactor manual for a more detailed explanation. This protects against SSRF.

When converting XML documents, PDFreactor will no longer automatically load external XML parser resources, such as DTDs, entities or XIncludes. This protects against DoS attacks using XXE.

Important! Before updating, please refer to the migration guide for more information as these changes might impact the functionality of existing integrations.

Please note that depending on the integration and usage scenario, the security settings of PDFreactor need to be configured appropriately. Please refer to the chapter “Security” in the PDFreactor manual. Also, depending on the integration and usage scenario it might be advisable to configure appropriate outbound firewall rules on the server that runs PDFreactor, to prevent access to internal network resources.

If you have any questions, please contact us at support@realobjects.com or open a support ticket in our helpdesk at support.realobjects.com.