CVE-2019-14817 – This vulnerability in Ghostscript allows specia... (How to Fix)

Q: What is the severity of CVE-2019-14817?

CVE-2019-14817 has a CVSS score of 7.8 (HIGH). This vulnerability in Ghostscript allows specially crafted PostScript files to bypass the -dSAFER security sandbox. Attackers could gain file system access or execute arbitrary commands on affected systems. Anyone using Ghostscript versions before 9.50 to process untrusted PostScript/PDF files is affected.

📋 TL;DR

This vulnerability in Ghostscript allows specially crafted PostScript files to bypass the -dSAFER security sandbox. Attackers could gain file system access or execute arbitrary commands on affected systems. Anyone using Ghostscript versions before 9.50 to process untrusted PostScript/PDF files is affected.

💻 Affected Systems

Products:

Ghostscript
Applications embedding Ghostscript (ImageMagick, LibreOffice, etc.)
PDF processing tools using Ghostscript

Versions: All versions prior to 9.50

Operating Systems: Linux, Windows, macOS, Unix variants

Default Config Vulnerable: ⚠️ Yes

Notes: Only vulnerable when processing PostScript/PDF files with -dSAFER flag enabled. Many applications enable -dSAFER by default when using Ghostscript.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise through arbitrary command execution, potentially leading to data theft, ransomware deployment, or complete system takeover.

🟠

Likely Case

File system access allowing reading of sensitive files, planting backdoors, or limited command execution within the Ghostscript process context.

🟢

If Mitigated

No impact if -dSAFER is not used or if Ghostscript is not exposed to untrusted input.

🌐 Internet-Facing: HIGH if Ghostscript processes user-uploaded files via web applications or APIs.

🏢 Internal Only: MEDIUM for internal document processing systems that handle potentially malicious files.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires delivering a malicious PostScript file to a vulnerable Ghostscript instance. Public proof-of-concept code exists.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Ghostscript 9.50 and later

Vendor Advisory: https://access.redhat.com/errata/RHSA-2019:2594

Restart Required: No

Instructions:

1. Update Ghostscript to version 9.50 or later. 2. For Linux: Use package manager (apt-get upgrade ghostscript, yum update ghostscript). 3. For Windows: Download from ghostscript.com. 4. Restart any services using Ghostscript.

🔧 Temporary Workarounds

Disable PostScript processing

all

Configure applications to disable PostScript processing or use alternative PDF processors

Sandbox Ghostscript execution

linux

Run Ghostscript in a container or with minimal privileges

docker run --read-only -v /tmp:/tmp ghostscript
sudo -u nobody gs -dSAFER ...

🧯 If You Can't Patch

Implement strict input validation to reject suspicious PostScript files
Isolate Ghostscript processes using SELinux/AppArmor or run in dedicated virtual machines

🔍 How to Verify

Check if Vulnerable:

Check Ghostscript version: gs --version. If version is below 9.50, system is vulnerable.

Check Version:

gs --version

Verify Fix Applied:

After update, run gs --version and confirm version is 9.50 or higher.

📡 Detection & Monitoring

Log Indicators:

Unusual Ghostscript process execution patterns
Large PostScript file processing errors
System commands executed from Ghostscript context

Network Indicators:

Unexpected outbound connections from document processing servers
File uploads to document processing endpoints followed by command execution

SIEM Query:

process_name:"gs" AND (command_line:"*exec*" OR command_line:"*shell*" OR command_line:"*system*")

📊 Metadata

CVE ID: CVE-2019-14817

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-648

Published: September 3, 2019

Last Updated: November 21, 2024

🔗 References

http://git.ghostscript.com/?p=ghostpdl.git%3Ba=commitdiff%3Bh=cd1b1cacadac2479e291efe611979bdc1b3bdb19
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00088.html Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00090.html Mailing List,Third Party Advisory
https://access.redhat.com/errata/RHBA-2019:2824 Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:2594 Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14817 Exploit,Issue Tracking,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/09/msg00007.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6AATIHU32MYKUOXQDJQU4X4DDVL7NAY3/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LBUC4DBBJTRFNCR3IODBV4IXB2C2HI3V/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZP34D27RKYV2POJ3NJLSVCHUA5V5C45A/
https://seclists.org/bugtraq/2019/Sep/15 Mailing List,Third Party Advisory
https://security.gentoo.org/glsa/202004-03 Third Party Advisory
https://www.debian.org/security/2019/dsa-4518 Third Party Advisory
http://git.ghostscript.com/?p=ghostpdl.git%3Ba=commitdiff%3Bh=cd1b1cacadac2479e291efe611979bdc1b3bdb19
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00088.html Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00090.html Mailing List,Third Party Advisory
https://access.redhat.com/errata/RHBA-2019:2824 Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:2594 Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14817 Exploit,Issue Tracking,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/09/msg00007.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6AATIHU32MYKUOXQDJQU4X4DDVL7NAY3/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LBUC4DBBJTRFNCR3IODBV4IXB2C2HI3V/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZP34D27RKYV2POJ3NJLSVCHUA5V5C45A/
https://seclists.org/bugtraq/2019/Sep/15 Mailing List,Third Party Advisory
https://security.gentoo.org/glsa/202004-03 Third Party Advisory
https://www.debian.org/security/2019/dsa-4518 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-14817, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Debian Linux by Debian

Debian Linux by Debian

Debian Linux by Debian

Fedora by Fedoraproject

Fedora by Fedoraproject

Fedora by Fedoraproject

Ghostscript by Artifex

Leap by Opensuse

Leap by Opensuse

Openshift Container Platform by Redhat

Openshift Container Platform by Redhat

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable PostScript processing

Sandbox Ghostscript execution

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities