CVE-2021-31811: A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading a tiny file
First published: Sat Jun 12 2021(Updated: )
Apache PDFBox is vulnerable to a denial of service, caused by an out-of-memory exception while loading a file. By persuading a victim to open a specially-crafted PDF file, a remote attacker could exploit this vulnerability to cause a denial of service.
Credit: security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache PDFBox | >=2.0.0<=2.0.23 | |
| Fedoraproject Fedora | =33 | |
| Fedoraproject Fedora | =34 | |
| Oracle Banking Corporate Lending Process Management | =14.2.0 | |
| Oracle Banking Corporate Lending Process Management | =14.3.0 | |
| Oracle Banking Corporate Lending Process Management | =14.5.0 | |
| Oracle Banking Credit Facilities Process Management | =14.2.0 | |
| Oracle Banking Credit Facilities Process Management | =14.3.0 | |
| Oracle Banking Credit Facilities Process Management | =14.5.0 | |
| Oracle Banking Supply Chain Finance | =14.2.0 | |
| Oracle Banking Supply Chain Finance | =14.3.0 | |
| Oracle Banking Supply Chain Finance | =14.5.0 | |
| Oracle Banking Trade Finance | =14.5 | |
| Oracle Banking Treasury Management | =14.5 | |
| Oracle FLEXCUBE Universal Banking | >=14.0.0<=14.3.0 | |
| Oracle FLEXCUBE Universal Banking | =14.5 | |
| Oracle Outside In Technology | =8.5.5 | |
| Oracle Primavera Unifier | >=17.7<=17.12 | |
| Oracle Primavera Unifier | =18.8 | |
| Oracle Primavera Unifier | =19.12 | |
| Oracle Primavera Unifier | =20.12 | |
| Oracle Retail Customer Management and Segmentation Foundation | =18.1 | |
| Oracle Communications Messaging Server | =8.1 | |
| IBM Security Risk Manager on CP4S | <=CP4S 1.7.2.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2021-31811 https://nvd.nist.gov/vuln/detail/CVE-2021-31811
- https://bugzilla.redhat.com/show_bug.cgi?id=1971648
- https://access.redhat.com/errata/RHSA-2021:3205
- https://access.redhat.com/security/cve/cve-2021-31811
- http://www.openwall.com/lists/oss-security/2021/06/12/2
- https://lists.apache.org/thread.html/r132e9dbbe0ebdc08b39583d8be0a575fdba573d60a42d940228bceff@%3Cnotifications.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/r143fd8445e0e778f4a85187bd79438630b96b8040e9401751fdb8aea@%3Ccommits.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/r179cc3b6822c167702ab35fe36093d5da4c99af44238c8a754c6860f@%3Ccommits.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/r2090789e4dcc2c87aacbd87d5f18e2d64dcb9f6eb7c47f5cf7d293cb@%3Cnotifications.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/rd4b6db6c3b8ab3c70f1c3bbd725a40920896453ffc2744ade6afd9fb@%3Cnotifications.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/re0cacd3fb337cdf8469853913ed2b4ddd8f8bfc52ff0ddbe61c1dfba@%3Ccommits.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/re3bd16f0cc8f1fbda46b06a4b8241cd417f71402809baa81548fc20e%40%3Cusers.pdfbox.apache.org%3E
- https://lists.apache.org/thread.html/re3bd16f0cc8f1fbda46b06a4b8241cd417f71402809baa81548fc20e@%3Cusers.pdfbox.apache.org%3E
- https://lists.apache.org/thread.html/rf937c2236e6c79cdb99f76a70690dd345e53dbe0707cb506a202e43e@%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/rfe26bcaba564deb505c32711ba68df7ec589797dcd96ff3389a8aaba@%3Cnotifications.ofbiz.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7HHWJRFXZ3PTKLJCOM7WJEYZFKFWMNSV/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MDJKJQOMVFDFIDS27OQJXNOYHV2O273D/
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.openwall.com/lists/oss-security/2021/06/12/2
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1971649
- https://access.redhat.com/support/policy/updates/jboss_notes
- https://lists.apache.org/thread.html/rf937c2236e6c79cdb99f76a70690dd345e53dbe0707cb506a202e43e%40%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/rfe26bcaba564deb505c32711ba68df7ec589797dcd96ff3389a8aaba%40%3Cnotifications.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/rd4b6db6c3b8ab3c70f1c3bbd725a40920896453ffc2744ade6afd9fb%40%3Cnotifications.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/r143fd8445e0e778f4a85187bd79438630b96b8040e9401751fdb8aea%40%3Ccommits.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/r179cc3b6822c167702ab35fe36093d5da4c99af44238c8a754c6860f%40%3Ccommits.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/r2090789e4dcc2c87aacbd87d5f18e2d64dcb9f6eb7c47f5cf7d293cb%40%3Cnotifications.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/r132e9dbbe0ebdc08b39583d8be0a575fdba573d60a42d940228bceff%40%3Cnotifications.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/re0cacd3fb337cdf8469853913ed2b4ddd8f8bfc52ff0ddbe61c1dfba%40%3Ccommits.ofbiz.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7HHWJRFXZ3PTKLJCOM7WJEYZFKFWMNSV/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MDJKJQOMVFDFIDS27OQJXNOYHV2O273D/
- https://exchange.xforce.ibmcloud.com/vulnerabilities/203615
- https://www.ibm.com/support/pages/node/6505281 (Advisory)
Frequently Asked Questions
What is CVE-2021-31811?
CVE-2021-31811 is a vulnerability in Apache PDFBox that can trigger an OutOfMemory-Exception while loading a PDF file, leading to a denial of service.
How does CVE-2021-31811 affect Apache PDFBox?
CVE-2021-31811 affects Apache PDFBox by causing an out-of-memory exception, which can be exploited by an attacker to cause a denial of service.
What is the severity of CVE-2021-31811?
The severity of CVE-2021-31811 is medium with a CVSS score of 5.5.
How can CVE-2021-31811 be exploited?
CVE-2021-31811 can be exploited by persuading a victim to open a specially-crafted PDF file.
How can I mitigate CVE-2021-31811?
To mitigate CVE-2021-31811, ensure you update to the latest version of Apache PDFBox when a patch becomes available.
- collector/redhat-cve
- collector/nvd-index
- agent/type
- agent/softwarecombine
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-31811
- agent/first-publish-date
- agent/remedy
- agent/author
- agent/weakness
- agent/severity
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/references
- agent/last-modified-date
- agent/event
- agent/tags
- collector/ibm-support
- source/IBM
- agent/software-canonical-lookup
- vendor/apache
- canonical/apache pdfbox
- version/apache pdfbox/2.0.0
- version/apache pdfbox/2.0.23
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/33
- version/fedoraproject fedora/34
- vendor/oracle
- canonical/oracle banking corporate lending process management
- version/oracle banking corporate lending process management/14.2.0
- version/oracle banking corporate lending process management/14.3.0
- version/oracle banking corporate lending process management/14.5.0
- canonical/oracle banking credit facilities process management
- version/oracle banking credit facilities process management/14.2.0
- version/oracle banking credit facilities process management/14.3.0
- version/oracle banking credit facilities process management/14.5.0
- canonical/oracle banking supply chain finance
- version/oracle banking supply chain finance/14.2.0
- version/oracle banking supply chain finance/14.3.0
- version/oracle banking supply chain finance/14.5.0
- canonical/oracle banking trade finance
- version/oracle banking trade finance/14.5
- canonical/oracle banking treasury management
- version/oracle banking treasury management/14.5
- canonical/oracle flexcube universal banking
- version/oracle flexcube universal banking/14.0.0
- version/oracle flexcube universal banking/14.3.0
- version/oracle flexcube universal banking/14.5
- canonical/oracle outside in technology
- version/oracle outside in technology/8.5.5
- canonical/oracle primavera unifier
- version/oracle primavera unifier/17.7
- version/oracle primavera unifier/17.12
- version/oracle primavera unifier/18.8
- version/oracle primavera unifier/19.12
- version/oracle primavera unifier/20.12
- canonical/oracle retail customer management and segmentation foundation
- version/oracle retail customer management and segmentation foundation/18.1
- canonical/oracle communications messaging server
- version/oracle communications messaging server/8.1
- vendor/ibm
- canonical/ibm security risk manager on cp4s
- version/ibm security risk manager on cp4s/cp4s 1.7.2.0