CVE-2021-20838
📋 TL;DR
This vulnerability allows remote unauthenticated attackers to conduct XML External Entity (XXE) attacks against Office Server Document Converter, potentially causing denial of service (DoS) conditions. It affects users of Office Server Document Converter V7.2MR4 and earlier, and V7.1MR7 and earlier, who process XML documents through the vulnerable software.
💻 Affected Systems
- Office Server Document Converter
📦 What is this software?
Office Server Document Converter by Antennahouse
Office Server Document Converter by Antennahouse
Office Server Document Converter by Antennahouse
Office Server Document Converter by Antennahouse
Office Server Document Converter by Antennahouse
Office Server Document Converter by Antennahouse
Office Server Document Converter by Antennahouse
Office Server Document Converter by Antennahouse
Office Server Document Converter by Antennahouse
Office Server Document Converter by Antennahouse
Office Server Document Converter by Antennahouse
Office Server Document Converter by Antennahouse
Office Server Document Converter by Antennahouse
Office Server Document Converter by Antennahouse
Office Server Document Converter by Antennahouse
Office Server Document Converter by Antennahouse
Office Server Document Converter by Antennahouse
Office Server Document Converter by Antennahouse
Office Server Document Converter by Antennahouse
Office Server Document Converter by Antennahouse
Office Server Document Converter by Antennahouse
Office Server Document Converter by Antennahouse
⚠️ Risk & Real-World Impact
Worst Case
Complete service disruption through DoS, potential information disclosure via XXE, and possible server-side request forgery (SSRF) leading to internal network reconnaissance.
Likely Case
Denial of service causing document conversion services to become unavailable, disrupting business workflows that rely on this functionality.
If Mitigated
Limited impact with proper network segmentation and input validation, though service disruption remains possible.
🎯 Exploit Status
XXE vulnerabilities are well-understood and typically easy to exploit with standard XXE payloads. The unauthenticated nature lowers the barrier to exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: V7.2MR5 and later, V7.1MR8 and later
Vendor Advisory: https://www.antenna.co.jp/news/2021/osdc72-20211027.html
Restart Required: Yes
Instructions:
1. Download the latest version from Antenna House website. 2. Backup current configuration. 3. Install the updated version. 4. Restart the Office Server Document Converter service. 5. Verify functionality with test documents.
🔧 Temporary Workarounds
Disable external entity processing
allConfigure XML parser to disable external entity resolution
Set XML parser properties: FEATURE_SECURE_PROCESSING=true, DISALLOW_DOCTYPE_DECL=true
Input validation filtering
allImplement XML input validation to reject documents with DOCTYPE declarations
Use XML schema validation or regex filtering for DOCTYPE declarations
🧯 If You Can't Patch
- Implement network-level controls to restrict access to the document converter service
- Deploy a web application firewall (WAF) with XXE protection rules
🔍 How to Verify
Check if Vulnerable:
Check the software version via administrative interface or configuration files. Versions V7.2MR4 or earlier, or V7.1MR7 or earlier are vulnerable.Check Version:
Check the software version in the administration console or configuration files (version.txt or similar)Verify Fix Applied:
Verify installation of V7.2MR5 or later, or V7.1MR8 or later. Test with known safe XML documents to ensure functionality.📡 Detection & Monitoring
Log Indicators:
- Multiple failed XML parsing attempts
- Unusual XML document processing errors
- Increased memory/CPU usage during XML processing
Network Indicators:
- Unusual XML document uploads to document converter endpoints
- External entity resolution attempts in network traffic
SIEM Query:
source="document_converter" AND (error="XML parsing" OR error="DOCTYPE")