CVE-2018-8036
First published: Fri Jun 29 2018(Updated: )
In Apache PDFBox 1.8.0 to 1.8.14 and 2.0.0RC1 to 2.0.10, a carefully crafted (or fuzzed) file can trigger an infinite loop which leads to an out of memory exception in Apache PDFBox's AFMParser.
Credit: security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/pdfbox | <1.8.15 | 1.8.15 |
| redhat/pdfbox | <2.0.10 | 2.0.10 |
| Apache PDFBox | >1.8.0<=1.8.14 | |
| Apache PDFBox | >=2.0.0<=2.0.10 | |
| Apache PDFBox | =2.0.0-rc1 | |
| Apache PDFBox | =2.0.0-rc2 | |
| Apache PDFBox | =2.0.0-rc3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://access.redhat.com/errata/RHSA-2018:2669
- https://lists.apache.org/thread.html/9f62f742fd4fcd81654a9533b8a71349b064250840592bcd502dcfb6@%3Cusers.pdfbox.apache.org%3E
- https://lists.apache.org/thread.html/r43491b25b2e5c368c34b106a82eff910a5cea3e90de82ad75cc16540@%3Cdev.syncope.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6HKVPTJWZGUB4MH4AAOWMRJHRDBYFHGJ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/POPOGHJ5CVMUVCRQU7APBAN5IVZGZFDX/
- https://www.oracle.com/security-alerts/cpuapr2020.html
- http://www.openwall.com/lists/oss-security/2018/06/29/1
- https://www.apache.org/dist/pdfbox/2.0.11/RELEASE-NOTES.txt
- https://www.apache.org/dist/pdfbox/1.8.15/RELEASE-NOTES.txt
- https://issues.apache.org/jira/projects/PDFBOX/issues/PDFBOX-4251
- http://svn.apache.org/viewvc/pdfbox/trunk/fontbox/src/main/java/org/apache/fontbox/afm/AFMParser.java?rev=1834048&r1=1834047&r2=1834048&view=diff
- http://svn.apache.org/viewvc/pdfbox/branches/2.0/fontbox/src/main/java/org/apache/fontbox/afm/AFMParser.java?rev=1834046&r1=1834045&r2=1834046&view=diff
- http://svn.apache.org/viewvc/pdfbox/branches/1.8/fontbox/src/main/java/org/apache/fontbox/afm/AFMParser.java?rev=1834047&r1=1834046&r2=1834047&view=diff
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1597491
- https://bugzilla.redhat.com/show_bug.cgi?id=1597490
- https://lists.apache.org/thread.html/9f62f742fd4fcd81654a9533b8a71349b064250840592bcd502dcfb6%40%3Cusers.pdfbox.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/POPOGHJ5CVMUVCRQU7APBAN5IVZGZFDX/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6HKVPTJWZGUB4MH4AAOWMRJHRDBYFHGJ/
- https://lists.apache.org/thread.html/r43491b25b2e5c368c34b106a82eff910a5cea3e90de82ad75cc16540%40%3Cdev.syncope.apache.org%3E
Frequently Asked Questions
What is the vulnerability ID?
The vulnerability ID is CVE-2018-8036.
What is the severity of CVE-2018-8036?
The severity of CVE-2018-8036 is medium.
Which software versions are affected by CVE-2018-8036?
Apache PDFBox versions 1.8.0 to 1.8.14 and 2.0.0RC1 to 2.0.10 are affected by CVE-2018-8036.
How can the vulnerability be exploited?
A carefully crafted (or fuzzed) file can trigger an infinite loop which leads to an out of memory exception in Apache PDFBox's AFMParser.
How can I fix CVE-2018-8036?
To fix CVE-2018-8036, update Apache PDFBox to version 1.8.15 or 2.0.11.
- collector/nvd-index
- agent/type
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- agent/severity
- agent/references
- agent/weakness
- agent/author
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2018-8036
- agent/software-canonical-lookup
- agent/tags
- agent/event
- collector/mitre-cve
- source/MITRE
- vendor/apache
- canonical/apache pdfbox
- version/apache pdfbox/1.8.14
- version/apache pdfbox/2.0.0
- version/apache pdfbox/2.0.10
- version/apache pdfbox/2.0.0-rc1
- version/apache pdfbox/2.0.0-rc2
- version/apache pdfbox/2.0.0-rc3
- package-manager/redhat