CVE-2021-43113
📋 TL;DR
CVE-2021-43113 is a command injection vulnerability in iTextPDF that allows attackers to execute arbitrary commands on the server by manipulating Ghostscript filename parameters. This affects iText 7 versions up to 7.1.17 and iText 4 versions up to 4.4.13.3. Any application using these vulnerable iText versions for PDF processing with Ghostscript integration is at risk.
💻 Affected Systems
- iTextPDF
- iText 7
- iText 4
📦 What is this software?
Itext by Itextpdf
⚠️ Risk & Real-World Impact
Worst Case
Full remote code execution with the privileges of the iText process, potentially leading to complete system compromise, data theft, or ransomware deployment.
Likely Case
Arbitrary command execution leading to data exfiltration, installation of backdoors, or lateral movement within the network.
If Mitigated
Limited impact due to proper input validation, sandboxing, or network segmentation preventing command execution.
🎯 Exploit Status
Exploit details are publicly available on Pastebin, making weaponization straightforward for attackers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: iText 7.1.17 and iText 4.4.13.3
Vendor Advisory: https://github.com/itext/itext7/releases/tag/7.1.17
Restart Required: No
Instructions:
1. Identify iText version in use. 2. Update to iText 7.1.17 or iText 4.4.13.3. 3. Rebuild and redeploy applications using the updated library. 4. Test PDF processing functionality.
🔧 Temporary Workarounds
Disable Ghostscript Integration
allRemove or disable Ghostscript usage in iText configuration to prevent command injection.
Modify application configuration to avoid using CompareTool with Ghostscript
Input Validation
allImplement strict input validation on all filename parameters passed to iText.
Add validation to reject filenames containing shell metacharacters (;, &, |, $, etc.)
🧯 If You Can't Patch
- Implement network segmentation to isolate iText servers from critical systems
- Run iText processes with minimal privileges and in sandboxed environments
🔍 How to Verify
Check if Vulnerable:
Check the iText library version in your application dependencies or classpath. If using Maven/Gradle, inspect pom.xml or build.gradle for iText version.Check Version:
For Java applications: check manifest or dependency files; command-line: java -cp itextpdf.jar com.itextpdf.kernel.VersionVerify Fix Applied:
Confirm iText version is 7.1.17 or 4.4.13.3 after update. Test PDF comparison functionality to ensure it works without errors.📡 Detection & Monitoring
Log Indicators:
- Unusual Ghostscript process executions
- Suspicious command-line arguments in process logs
- Errors from iText CompareTool operations
Network Indicators:
- Unexpected outbound connections from iText servers
- DNS requests to suspicious domains
SIEM Query:
Process creation events where command line contains 'gs' with unusual parameters from iText application processes🔗 References
- https://github.com/itext/itext7/releases/tag/7.1.17
- https://github.com/itext/itextpdf/releases/tag/5.5.13.3
- https://lists.debian.org/debian-lts-announce/2023/01/msg00013.html
- https://pastebin.com/BXnkY9YY
- https://www.debian.org/security/2023/dsa-5323
- https://github.com/itext/itext7/releases/tag/7.1.17
- https://github.com/itext/itextpdf/releases/tag/5.5.13.3
- https://lists.debian.org/debian-lts-announce/2023/01/msg00013.html
- https://pastebin.com/BXnkY9YY
- https://www.debian.org/security/2023/dsa-5323
