CVE-2021-37714: Input Validation

First published: Wed Aug 18 2021(Updated: )

jsoup is a Java library for working with HTML. Those using jsoup versions prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack. The issue is patched in version 1.14.2. There are a few available workarounds. Users may rate limit input parsing, limit the size of inputs based on system resources, and/or implement thread watchdogs to cap and timeout parse runtimes.

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
redhat/eap7-apache-cxf	<0:3.3.12-1.redhat_00001.1.el6ea	0:3.3.12-1.redhat_00001.1.el6ea
redhat/eap7-ironjacamar	<0:1.5.3-1.Final_redhat_00001.1.el6ea	0:1.5.3-1.Final_redhat_00001.1.el6ea
redhat/eap7-jakarta-el	<0:3.0.3-3.redhat_00007.1.el6ea	0:3.0.3-3.redhat_00007.1.el6ea
redhat/eap7-jboss-ejb-client	<0:4.0.43-1.Final_redhat_00001.1.el6ea	0:4.0.43-1.Final_redhat_00001.1.el6ea
redhat/eap7-jboss-server-migration	<0:1.7.2-10.Final_redhat_00011.1.el6ea	0:1.7.2-10.Final_redhat_00011.1.el6ea
redhat/eap7-jsoup	<0:1.14.2-1.redhat_00002.1.el6ea	0:1.14.2-1.redhat_00002.1.el6ea
redhat/eap7-resteasy	<0:3.11.5-1.Final_redhat_00001.1.el6ea	0:3.11.5-1.Final_redhat_00001.1.el6ea
redhat/eap7-undertow	<0:2.0.41-1.SP1_redhat_00001.1.el6ea	0:2.0.41-1.SP1_redhat_00001.1.el6ea
redhat/eap7-wildfly	<0:7.3.10-2.GA_redhat_00003.1.el6ea	0:7.3.10-2.GA_redhat_00003.1.el6ea
redhat/eap7-wildfly-elytron	<0:1.10.15-1.Final_redhat_00001.1.el6ea	0:1.10.15-1.Final_redhat_00001.1.el6ea
redhat/eap7-wss4j	<0:2.2.7-1.redhat_00001.1.el6ea	0:2.2.7-1.redhat_00001.1.el6ea
redhat/eap7-xml-security	<0:2.1.7-1.redhat_00001.1.el6ea	0:2.1.7-1.redhat_00001.1.el6ea
redhat/eap7-apache-cxf	<0:3.3.12-1.redhat_00001.1.el7ea	0:3.3.12-1.redhat_00001.1.el7ea
redhat/eap7-ironjacamar	<0:1.5.3-1.Final_redhat_00001.1.el7ea	0:1.5.3-1.Final_redhat_00001.1.el7ea
redhat/eap7-jakarta-el	<0:3.0.3-3.redhat_00007.1.el7ea	0:3.0.3-3.redhat_00007.1.el7ea
redhat/eap7-jboss-ejb-client	<0:4.0.43-1.Final_redhat_00001.1.el7ea	0:4.0.43-1.Final_redhat_00001.1.el7ea
redhat/eap7-jboss-server-migration	<0:1.7.2-10.Final_redhat_00011.1.el7ea	0:1.7.2-10.Final_redhat_00011.1.el7ea
redhat/eap7-jsoup	<0:1.14.2-1.redhat_00002.1.el7ea	0:1.14.2-1.redhat_00002.1.el7ea
redhat/eap7-resteasy	<0:3.11.5-1.Final_redhat_00001.1.el7ea	0:3.11.5-1.Final_redhat_00001.1.el7ea
redhat/eap7-undertow	<0:2.0.41-1.SP1_redhat_00001.1.el7ea	0:2.0.41-1.SP1_redhat_00001.1.el7ea
redhat/eap7-wildfly	<0:7.3.10-2.GA_redhat_00003.1.el7ea	0:7.3.10-2.GA_redhat_00003.1.el7ea
redhat/eap7-wildfly-elytron	<0:1.10.15-1.Final_redhat_00001.1.el7ea	0:1.10.15-1.Final_redhat_00001.1.el7ea
redhat/eap7-wss4j	<0:2.2.7-1.redhat_00001.1.el7ea	0:2.2.7-1.redhat_00001.1.el7ea
redhat/eap7-xml-security	<0:2.1.7-1.redhat_00001.1.el7ea	0:2.1.7-1.redhat_00001.1.el7ea
redhat/eap7-apache-cxf	<0:3.3.12-1.redhat_00001.1.el8ea	0:3.3.12-1.redhat_00001.1.el8ea
redhat/eap7-ironjacamar	<0:1.5.3-1.Final_redhat_00001.1.el8ea	0:1.5.3-1.Final_redhat_00001.1.el8ea
redhat/eap7-jakarta-el	<0:3.0.3-3.redhat_00007.1.el8ea	0:3.0.3-3.redhat_00007.1.el8ea
redhat/eap7-jboss-ejb-client	<0:4.0.43-1.Final_redhat_00001.1.el8ea	0:4.0.43-1.Final_redhat_00001.1.el8ea
redhat/eap7-jboss-server-migration	<0:1.7.2-10.Final_redhat_00011.1.el8ea	0:1.7.2-10.Final_redhat_00011.1.el8ea
redhat/eap7-jsoup	<0:1.14.2-1.redhat_00002.1.el8ea	0:1.14.2-1.redhat_00002.1.el8ea
redhat/eap7-resteasy	<0:3.11.5-1.Final_redhat_00001.1.el8ea	0:3.11.5-1.Final_redhat_00001.1.el8ea
redhat/eap7-undertow	<0:2.0.41-1.SP1_redhat_00001.1.el8ea	0:2.0.41-1.SP1_redhat_00001.1.el8ea
redhat/eap7-wildfly	<0:7.3.10-2.GA_redhat_00003.1.el8ea	0:7.3.10-2.GA_redhat_00003.1.el8ea
redhat/eap7-wildfly-elytron	<0:1.10.15-1.Final_redhat_00001.1.el8ea	0:1.10.15-1.Final_redhat_00001.1.el8ea
redhat/eap7-wss4j	<0:2.2.7-1.redhat_00001.1.el8ea	0:2.2.7-1.redhat_00001.1.el8ea
redhat/eap7-xml-security	<0:2.1.7-1.redhat_00001.1.el8ea	0:2.1.7-1.redhat_00001.1.el8ea
redhat/jsoup	<1.14.2	1.14.2
Jsoup Jsoup	<1.14.2
Quarkus Quarkus	<=2.2.3
Oracle Banking Trade Finance	=14.5
Oracle Banking Treasury Management	=14.5
Oracle Business Process Management Suite	=12.2.1.3.0
Oracle Business Process Management Suite	=12.2.1.4.0
Oracle FLEXCUBE Universal Banking	>=14.0.0<=14.3.0
Oracle FLEXCUBE Universal Banking	=14.5
Oracle Hospitality Token Proxy Service	=19.2
Oracle PeopleSoft Enterprise PeopleTools	=8.58
Oracle PeopleSoft Enterprise PeopleTools	=8.59
Oracle Primavera Unifier	=20.12
Oracle Primavera Unifier	=21.12
Oracle Retail Customer Management and Segmentation Foundation	>=17.0<=19.0
Oracle WebCenter Portal	=12.2.1.3.0
Oracle WebCenter Portal	=12.2.1.4.0
Oracle Communications Messaging Server	=8.1
Netapp Management Services For Element Software And Netapp Hci
Oracle Financial Services Crime And Compliance Management Studio	=8.0.8.2.0
Oracle Financial Services Crime And Compliance Management Studio	=8.0.8.3.0
Oracle Middleware Common Libraries And Tools	=12.2.1.3.0
Oracle Middleware Common Libraries And Tools	=12.2.1.4.0
Oracle Stream Analytics	<19.1.0.0.6.4
Oracle Stream Analytics	=19c

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

collector/redhat-cve
collector/ibm-support
agent/type
agent/first-publish-date
agent/softwarecombine
agent/author
agent/remedy
agent/references
agent/severity
agent/weakness
agent/tags
agent/event
collector/redhat-bugzilla
source/Red Hat
alias/CVE-2021-37714
agent/software-canonical-lookup
agent/last-modified-date
agent/description
collector/nvd-index
agent/software-canonical-lookup-request
package-manager/redhat
vendor/jsoup
canonical/jsoup jsoup
vendor/quarkus
canonical/quarkus quarkus
version/quarkus quarkus/2.2.3
vendor/oracle
canonical/oracle banking trade finance
version/oracle banking trade finance/14.5
canonical/oracle banking treasury management
version/oracle banking treasury management/14.5
canonical/oracle business process management suite
version/oracle business process management suite/12.2.1.3.0
version/oracle business process management suite/12.2.1.4.0
canonical/oracle flexcube universal banking
version/oracle flexcube universal banking/14.0.0
version/oracle flexcube universal banking/14.3.0
version/oracle flexcube universal banking/14.5
canonical/oracle hospitality token proxy service
version/oracle hospitality token proxy service/19.2
canonical/oracle peoplesoft enterprise peopletools
version/oracle peoplesoft enterprise peopletools/8.58
version/oracle peoplesoft enterprise peopletools/8.59
canonical/oracle primavera unifier
version/oracle primavera unifier/20.12
version/oracle primavera unifier/21.12
canonical/oracle retail customer management and segmentation foundation
version/oracle retail customer management and segmentation foundation/17.0
version/oracle retail customer management and segmentation foundation/19.0
canonical/oracle webcenter portal
version/oracle webcenter portal/12.2.1.3.0
version/oracle webcenter portal/12.2.1.4.0
canonical/oracle communications messaging server
version/oracle communications messaging server/8.1
vendor/netapp
canonical/netapp management services for element software and netapp hci
canonical/oracle financial services crime and compliance management studio
version/oracle financial services crime and compliance management studio/8.0.8.2.0
version/oracle financial services crime and compliance management studio/8.0.8.3.0
canonical/oracle middleware common libraries and tools
version/oracle middleware common libraries and tools/12.2.1.3.0
version/oracle middleware common libraries and tools/12.2.1.4.0
canonical/oracle stream analytics
version/oracle stream analytics/19c

CVE-2021-37714: Input Validation

Remedy

Remedy

Remedy

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

Company

Resources

Contact