Security Bulletin: [All] Apache PDFBox (Publicly disclosed vulnerability)

Summary

This Security Bulletin provides steps to manually upgrade ApachePDFBox for IBM DataQuant.

Vulnerability Details

CVEID:CVE-2021-31811
**DESCRIPTION:**Apache PDFBox is vulnerable to a denial of service, caused by an out-of-memory exception while loading a file. By persuading a victim to open a specially-crafted PDF file, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/203615 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

CVEID:CVE-2021-31812
**DESCRIPTION:**Apache PDFBox is vulnerable to a denial of service, caused by an error while loading a file. By persuading a victim to open a specially-crafted PDF file, a remote attacker could exploit this vulnerability to cause the system to enter into an infinite loop.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/203587 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

Affected Products and Versions

Remediation/Fixes

Please see ‘Workarounds and Mitigations’

Workarounds and Mitigations

Below are the manual steps for DataQuant on Windows for updating ApachePDFBox version -

1. Close DataQuant.
2. Delete the plugin pdfbox-1.7.0.jar present in the location where DataQuant in installed -> C:\Program Files (x86)\IBM\IBM DataQuant\DataQuant for Workstation\plugins\com.ibm.bi.thirdparty_2.1.7.20170216\Other
3. Download the pdfbox plugin from https://pdfbox.apache.org/download.cgi. or https://archive.apache.org/dist/pdfbox/2.0.24/ Copy the plugin pdfbox-2.0.24.jar to the folder where DataQuant is installed -> C:\Program Files (x86)\IBM\IBM DataQuant\DataQuant for Workstation\plugins\com.ibm.bi.thirdparty_2.1.7.20170216\Other
4. Rename the jar from pdfbox-2.0.24.jar to pdfbox-1.7.0.jar.
5. Relaunch DataQuant.