CVE-2019-12154
📋 TL;DR
This XXE vulnerability in PDFreactor's XML parser allows attackers to inject malicious XML content through external references, potentially reading local files or causing denial of service. It affects all PDFreactor users running versions before 10.1.10722. Attackers can exploit this to access sensitive system files or crash the service.
💻 Affected Systems
- RealObjects PDFreactor
📦 What is this software?
Pdfreactor by Realobjects
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise via sensitive file disclosure (including credentials, configuration files) leading to lateral movement and data exfiltration, plus service disruption.
Likely Case
Local file disclosure of accessible files (web server files, configuration) and potential denial of service through resource exhaustion.
If Mitigated
Limited impact with proper network segmentation, file permissions, and input validation blocking external entity references.
🎯 Exploit Status
Public technical details and proof-of-concept available in security advisories. Exploitation requires sending malicious XML to PDFreactor's XML processing functionality.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 10.1.10722
Vendor Advisory: https://www.pdfreactor.com/important-pdfreactor-security-advisory/
Restart Required: Yes
Instructions:
1. Download PDFreactor version 10.1.10722 or later from vendor website. 2. Stop PDFreactor service. 3. Backup configuration and data. 4. Install updated version. 5. Restart PDFreactor service. 6. Verify functionality.
🔧 Temporary Workarounds
Disable External Entity Processing
allConfigure XML parser to disable external entity resolution and DTD processing
Set PDFreactor configuration: xmlParserFeatures = "http://apache.org/xml/features/disallow-doctype-decl"
Set PDFreactor configuration: xmlParserProperties = {"http://apache.org/xml/properties/security-manager": ""}
Input Validation Filtering
allImplement XML input validation to reject or sanitize external entity references
Implement pre-processing filter to remove DOCTYPE declarations and external entity references from XML input
🧯 If You Can't Patch
- Implement strict network segmentation to isolate PDFreactor from sensitive internal systems and the internet
- Deploy web application firewall (WAF) with XXE protection rules to filter malicious XML payloads
🔍 How to Verify
Check if Vulnerable:
Check PDFreactor version via admin interface or configuration files. If version is below 10.1.10722, system is vulnerable.Check Version:
Check PDFreactor configuration file or admin interface for version informationVerify Fix Applied:
Confirm version is 10.1.10722 or higher. Test with safe XXE payload to verify external entity processing is disabled.📡 Detection & Monitoring
Log Indicators:
- Unusual XML parsing errors
- Multiple failed XML processing attempts
- External entity resolution attempts in logs
- File access patterns from PDFreactor process
Network Indicators:
- XML payloads containing DOCTYPE declarations
- External entity references in XML traffic to PDFreactor
- Unusual outbound connections from PDFreactor to internal systems
SIEM Query:
source="pdfreactor" AND (message="*DOCTYPE*" OR message="*ENTITY*" OR message="*external*" OR error="*XML*" OR error="*parse*")🔗 References
- https://blog.gdssecurity.com/labs/2019/5/28/ssrf-and-xxe-vulnerabilities-in-pdfreactor.html
- https://www.pdfreactor.com/important-pdfreactor-security-advisory/
- https://www.pdfreactor.com/pdfreactor-10-maintenance-release-10-1-10722-now-available/
- https://blog.gdssecurity.com/labs/2019/5/28/ssrf-and-xxe-vulnerabilities-in-pdfreactor.html
- https://www.pdfreactor.com/important-pdfreactor-security-advisory/
- https://www.pdfreactor.com/pdfreactor-10-maintenance-release-10-1-10722-now-available/
