We have been made aware by Sean Melia of Aon’s Cyber Solutions that information has recently been published in social media about potential vulnerabilities in systems which use PDFreactor to convert data from untrusted sources. This could be used for Server Side Request Forgery, file system access and other similar attacks. A potential attacker could gain access to data on the server or internal networks. We would like to inform PDFreactor customers about this and highlight measures that can be taken to avoid this risk.
Does this affect me?
What can I do?
Should this be the case, implement appropriate measures immediately to protect your system against this sort of potential attacks. Such measures can include the following:
- Stop processing any data from untrusted sources with PDFreactor
- Configure CustomUrlStreamHandlers (if you are using the PDFreactor Java Library) to filter URLs and block unwanted access to certain protocols or resources (see https://www.pdfreactor.com/product/doc/apidocs/index.html?com/realobjects/pdfreactor/Configuration.CustomUrlStreamHandler.html)
- Run the PDFreactor service under a user that has appropriately restricted privileges e.g. without any access rights to confidential files
- Configure appropriate outbound firewall rules on the server, to prevent access to internal network resources