CVE-2021-27906: A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file
First published: Fri Mar 19 2021(Updated: )
A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.22 and prior 2.0.x versions.
Credit: security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/pdfbox | <2.0.23 | 2.0.23 |
| Apache PDFBox | >=2.0.0<=2.0.22 | |
| Fedoraproject Fedora | =32 | |
| Fedoraproject Fedora | =33 | |
| Fedoraproject Fedora | =34 | |
| Oracle Banking Corporate Lending Process Management | =14.2.0 | |
| Oracle Banking Corporate Lending Process Management | =14.3.0 | |
| Oracle Banking Corporate Lending Process Management | =14.5.0 | |
| Oracle Banking Credit Facilities Process Management | =14.2.0 | |
| Oracle Banking Credit Facilities Process Management | =14.3.0 | |
| Oracle Banking Credit Facilities Process Management | =14.5.0 | |
| Oracle Banking Supply Chain Finance | =14.2.0 | |
| Oracle Banking Supply Chain Finance | =14.3.0 | |
| Oracle Banking Supply Chain Finance | =14.5.0 | |
| Oracle Banking Trade Finance Process Management | =14.2.0 | |
| Oracle Banking Trade Finance Process Management | =14.3.0 | |
| Oracle Banking Trade Finance Process Management | =14.5.0 | |
| Oracle Banking Treasury Management | =14.5 | |
| Oracle Banking Virtual Account Management | =14.2.0 | |
| Oracle Banking Virtual Account Management | =14.3.0 | |
| Oracle Banking Virtual Account Management | =14.5.0 | |
| Oracle Communications Session Report Manager | >=8.0.0<=8.2.4.0 | |
| Oracle FLEXCUBE Universal Banking | >=14.0.0<=14.3.0 | |
| Oracle FLEXCUBE Universal Banking | =14.5.0 | |
| Oracle Hyperion Financial Reporting | =11.1.2.4 | |
| Oracle Hyperion Financial Reporting | =11.2.6.0 | |
| Oracle Hyperion Infrastructure Technology | <11.2.8.0 | |
| Oracle Outside In Technology | =8.5.5 | |
| Oracle PeopleSoft Enterprise PeopleTools | =8.58 | |
| Oracle PeopleSoft Enterprise PeopleTools | =8.59 | |
| Oracle Primavera Unifier | >=17.7<=17.12 | |
| Oracle Primavera Unifier | =18.8 | |
| Oracle Primavera Unifier | =19.12 | |
| Oracle Primavera Unifier | =20.12 | |
| Oracle Retail Customer Management and Segmentation Foundation | =19.0 | |
| Oracle Retail Xstore Point of Service | =16.0.6 | |
| Oracle Retail Xstore Point of Service | =17.0.4 | |
| Oracle Retail Xstore Point of Service | =18.0.3 | |
| Oracle Retail Xstore Point of Service | =19.0.2 | |
| Oracle Retail Xstore Point of Service | =20.0.1 | |
| Oracle WebCenter Sites | =12.2.1.3.0 | |
| Oracle WebCenter Sites | =12.2.1.4.0 | |
| Oracle Communications Messaging Server | =8.1 | |
| IBM Security Risk Manager on CP4S | <=CP4S 1.7.2.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2021-27906 https://nvd.nist.gov/vuln/detail/CVE-2021-27906
- https://bugzilla.redhat.com/show_bug.cgi?id=1941050
- https://access.redhat.com/errata/RHSA-2021:3205
- https://access.redhat.com/errata/RHSA-2021:3140
- https://access.redhat.com/security/cve/cve-2021-27906
- https://www.openwall.com/lists/oss-security/2021/03/19/10
- https://lists.apache.org/thread.html/rf35026148ccc0e1af133501c0d003d052883fcc65107b3ff5d3b61cd@%3Cusers.pdfbox.apache.org%3E
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1941051
- https://access.redhat.com/support/policy/updates/jboss_notes
- http://www.openwall.com/lists/oss-security/2021/03/19/10
- https://lists.apache.org/thread.html/r1218e60c32829f76943ecaca79237120c2ec1ab266459d711a578b50@%3Cdev.pdfbox.apache.org%3E
- https://lists.apache.org/thread.html/r1d268642f8b52456ee8f876b888b8ed7a9e9568c7770789f3ded7f9e@%3Ccommits.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/r4cbc3f6981cd0a1a482531df9d44e4c42a7f63342a7ba78b7bff8a1b@%3Cnotifications.james.apache.org%3E
- https://lists.apache.org/thread.html/r54594251369e14c185da9662a5340a52afbbdf75d61c9c3a69c8f2e8@%3Cdev.pdfbox.apache.org%3E
- https://lists.apache.org/thread.html/r5c8e2125d18af184c80f7a986fbe47eaf0d30457cd450133adc235ac@%3Ccommits.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/r64982b768c8a2220b07aaf813bd099a9863de0d13eb212fd4efe208f@%3Cusers.pdfbox.apache.org%3E
- https://lists.apache.org/thread.html/r6e067a6d83ccb6892d0ff867bd216704f21fb0b6a854dea34be04f12@%3Cnotifications.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/r7ee634c21816c69ce829d0c41f35afa2a53a99bdd3c7cce8644fdc0e@%3Cnotifications.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/r9ffe179385637b0b5cbdabd0246118005b4b8232909d2d14cd68ccd3@%3Ccommits.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/raa35746227f3f8d50fff1db9899524423a718f6f35cd39bd4769fa6c@%3Cnotifications.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/rc69140d894c6a9c67a8097a25656cce59b46a5620c354ceba10543c3@%3Cnotifications.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/rdf78aef4793362e778e21e34328b0456e302bde4b7e74f229df0ee04@%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/re1e35881482e07dc2be6058d9b44483457f36133cac67956686ad9b9@%3Cnotifications.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/rf35026148ccc0e1af133501c0d003d052883fcc65107b3ff5d3b61cd%40%3Cusers.pdfbox.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AVLKAHFMPH72TTP25INPZPGX5FODK3H/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6KDA2U4KL2N3XT3PM4ZJEBBA6JJIH2G4/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PT72QOFDXLJ7PLTN66EMG5EHPTE7TFZ/
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://lists.apache.org/thread.html/rdf78aef4793362e778e21e34328b0456e302bde4b7e74f229df0ee04%40%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/r64982b768c8a2220b07aaf813bd099a9863de0d13eb212fd4efe208f%40%3Cusers.pdfbox.apache.org%3E
- https://lists.apache.org/thread.html/r1d268642f8b52456ee8f876b888b8ed7a9e9568c7770789f3ded7f9e%40%3Ccommits.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/r7ee634c21816c69ce829d0c41f35afa2a53a99bdd3c7cce8644fdc0e%40%3Cnotifications.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/re1e35881482e07dc2be6058d9b44483457f36133cac67956686ad9b9%40%3Cnotifications.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/rc69140d894c6a9c67a8097a25656cce59b46a5620c354ceba10543c3%40%3Cnotifications.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/r9ffe179385637b0b5cbdabd0246118005b4b8232909d2d14cd68ccd3%40%3Ccommits.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/raa35746227f3f8d50fff1db9899524423a718f6f35cd39bd4769fa6c%40%3Cnotifications.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/r5c8e2125d18af184c80f7a986fbe47eaf0d30457cd450133adc235ac%40%3Ccommits.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/r1218e60c32829f76943ecaca79237120c2ec1ab266459d711a578b50%40%3Cdev.pdfbox.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6PT72QOFDXLJ7PLTN66EMG5EHPTE7TFZ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6KDA2U4KL2N3XT3PM4ZJEBBA6JJIH2G4/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2AVLKAHFMPH72TTP25INPZPGX5FODK3H/
- https://lists.apache.org/thread.html/r6e067a6d83ccb6892d0ff867bd216704f21fb0b6a854dea34be04f12%40%3Cnotifications.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/r4cbc3f6981cd0a1a482531df9d44e4c42a7f63342a7ba78b7bff8a1b%40%3Cnotifications.james.apache.org%3E
- https://lists.apache.org/thread.html/r54594251369e14c185da9662a5340a52afbbdf75d61c9c3a69c8f2e8%40%3Cdev.pdfbox.apache.org%3E
- https://exchange.xforce.ibmcloud.com/vulnerabilities/198452
- https://www.ibm.com/support/pages/node/6505281 (Advisory)
Frequently Asked Questions
What is CVE-2021-27906?
CVE-2021-27906 is a vulnerability in Apache PDFBox that can be exploited by a remote attacker to cause the application to crash by convincing the victim to open a specially-crafted .PDF file.
How does CVE-2021-27906 impact Apache PDFBox?
CVE-2021-27906 can trigger an OutOfMemory-Exception while loading a PDF file, leading to a denial of service.
What is the severity of CVE-2021-27906?
The severity of CVE-2021-27906 is medium, with a severity value of 5.5.
How can the CVE-2021-27906 vulnerability be fixed?
To fix the CVE-2021-27906 vulnerability, users should update to Apache PDFBox version 2.0.23 or higher.
Where can I find more information about CVE-2021-27906?
You can find more information about CVE-2021-27906 on the CVE website (https://www.cve.org/CVERecord?id=CVE-2021-27906) and the NIST National Vulnerability Database (https://nvd.nist.gov/vuln/detail/CVE-2021-27906).
- collector/redhat-cve
- agent/type
- agent/first-publish-date
- agent/remedy
- agent/severity
- agent/weakness
- agent/author
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-27906
- agent/software-canonical-lookup
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/softwarecombine
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/title
- agent/last-modified-date
- agent/event
- agent/tags
- collector/ibm-support
- source/IBM
- package-manager/redhat
- vendor/apache
- canonical/apache pdfbox
- version/apache pdfbox/2.0.0
- version/apache pdfbox/2.0.22
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/32
- version/fedoraproject fedora/33
- version/fedoraproject fedora/34
- vendor/oracle
- canonical/oracle banking corporate lending process management
- version/oracle banking corporate lending process management/14.2.0
- version/oracle banking corporate lending process management/14.3.0
- version/oracle banking corporate lending process management/14.5.0
- canonical/oracle banking credit facilities process management
- version/oracle banking credit facilities process management/14.2.0
- version/oracle banking credit facilities process management/14.3.0
- version/oracle banking credit facilities process management/14.5.0
- canonical/oracle banking supply chain finance
- version/oracle banking supply chain finance/14.2.0
- version/oracle banking supply chain finance/14.3.0
- version/oracle banking supply chain finance/14.5.0
- canonical/oracle banking trade finance process management
- version/oracle banking trade finance process management/14.2.0
- version/oracle banking trade finance process management/14.3.0
- version/oracle banking trade finance process management/14.5.0
- canonical/oracle banking treasury management
- version/oracle banking treasury management/14.5
- canonical/oracle banking virtual account management
- version/oracle banking virtual account management/14.2.0
- version/oracle banking virtual account management/14.3.0
- version/oracle banking virtual account management/14.5.0
- canonical/oracle communications session report manager
- version/oracle communications session report manager/8.0.0
- version/oracle communications session report manager/8.2.4.0
- canonical/oracle flexcube universal banking
- version/oracle flexcube universal banking/14.0.0
- version/oracle flexcube universal banking/14.3.0
- version/oracle flexcube universal banking/14.5.0
- canonical/oracle hyperion financial reporting
- version/oracle hyperion financial reporting/11.1.2.4
- version/oracle hyperion financial reporting/11.2.6.0
- canonical/oracle hyperion infrastructure technology
- canonical/oracle outside in technology
- version/oracle outside in technology/8.5.5
- canonical/oracle peoplesoft enterprise peopletools
- version/oracle peoplesoft enterprise peopletools/8.58
- version/oracle peoplesoft enterprise peopletools/8.59
- canonical/oracle primavera unifier
- version/oracle primavera unifier/17.7
- version/oracle primavera unifier/17.12
- version/oracle primavera unifier/18.8
- version/oracle primavera unifier/19.12
- version/oracle primavera unifier/20.12
- canonical/oracle retail customer management and segmentation foundation
- version/oracle retail customer management and segmentation foundation/19.0
- canonical/oracle retail xstore point of service
- version/oracle retail xstore point of service/16.0.6
- version/oracle retail xstore point of service/17.0.4
- version/oracle retail xstore point of service/18.0.3
- version/oracle retail xstore point of service/19.0.2
- version/oracle retail xstore point of service/20.0.1
- canonical/oracle webcenter sites
- version/oracle webcenter sites/12.2.1.3.0
- version/oracle webcenter sites/12.2.1.4.0
- canonical/oracle communications messaging server
- version/oracle communications messaging server/8.1
- vendor/ibm
- canonical/ibm security risk manager on cp4s
- version/ibm security risk manager on cp4s/cp4s 1.7.2.0