Lucene search

K
ibmIBM9539D349760C436C7C7DD837261536EA548010DD2305304375696FA545C8BF09
HistoryJun 28, 2021 - 7:25 p.m.

Security Bulletin: IBM DataQuant Fix for (All) Apache PDF Box (Publicly disclosed vulnerability)

2021-06-2819:25:53
www.ibm.com
6

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:N/A:P

0.001 Low

EPSS

Percentile

28.2%

Summary

Advisory ADV00321067: CVE-2021-27807 and CVE-2021-27906

Vulnerability Details

CVEID:CVE-2021-27807
**DESCRIPTION:**Apache PDFBox is vulnerable to a denial of service, caused by an infinite loop flaw. By persuading a victim to open a specially-crafted .PDF file, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/198451 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

CVEID:CVE-2021-27906
**DESCRIPTION:**Apache PDFBox is vulnerable to a denial of service, caused by an OutOfMemory-Exception flaw. By persuading a victim to open a specially-crafted .PDF file, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/198452 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
DataQuant for z/OS 2.1

Remediation/Fixes

See Workarounds

Workarounds and Mitigations

Below are the manual steps for DataQuant on Windows for updating ApachePDFBox version,

  1. Close the DataQuant.
  2. Delete the plugin pdfbox-1.7.0.jar present in the location where DataQuant in installed -> C:\Program Files (x86)\IBM\IBM DataQuant\DataQuant for Workstation\plugins\com.ibm.bi.thirdparty_2.1.7.20170216\Other
  3. Download the pdfbox plugin from https://pdfbox.apache.org/download.cgi. or https://archive.apache.org/dist/pdfbox/2.0.1/ Copy the plugin pdfbox-2.0.1.jar to the folder where DataQuant is installed -> C:\Program Files (x86)\IBM\IBM DataQuant\DataQuant for Workstation\plugins\com.ibm.bi.thirdparty_2.1.7.20170216\Other
  4. Rename the jar from pdfbox-2.0.1.jar to pdfbox-1.7.0.jar
  5. Relaunch the data quant.

CPENameOperatorVersion
dataquant for z/oseq2.1

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:N/A:P

0.001 Low

EPSS

Percentile

28.2%

Related for 9539D349760C436C7C7DD837261536EA548010DD2305304375696FA545C8BF09