SB2021102905 - Multiple vulnerabilities in Antenna House Office Server Document Converter

Description

This security bulletin contains information about 2 vulnerabilities.

1) XML External Entity injection (CVE-ID: CVE-2021-20838)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied XML input in the PDF convert server. A remote attacker can pass a specially crafted XML code to the affected application and cause a denial of service condition on the target system.

2) XML External Entity injection (CVE-ID: CVE-2021-20839)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied XML input in the other servers. A remote attacker can pass a specially crafted XML code to the affected application and cause a denial of service condition on the other servers.

Remediation

Install update from vendor's website.

References

• https://jvn.jp/en/jp/JVN33453839/index.html
• https://www.antenna.co.jp/news/2021/osdc72-20211027.html