Lucene search
IBM71AE0D5024D39B08B24A7182D24ED9015A9DA203851A438D5EF30F80E1A05C50HistorySep 14, 2022 - 3:28 p.m.
Security Bulletin: A CVE-2021-37714 vulnerability in jsoup affects IBM Process Designer in IBM Business Automation Workflow and IBM Business Process Manager
2022-09-1415:28:14
www.ibm.com
52
ibm process designer
ibm business automation workflow
ibm business process manager
jsoup
html parser
xml parser
denial of service
vulnerability
ibm bpm process designer
fix
ibm business automation workflow 19.0.0.3
ibm business automation workflow 20.0.0.2
ibm business automation workflow 21.0.0.2
ibm business process manager 8.6.0.0 cf2018.03
ibm business process manager advanced 8.5.7 cf2017.06
ibm business process manager standard 8.5.7 cf2017.06
ibm business process manager express 8.5.7 cf2017.06
CVSS2
5
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS3
7.5
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
0.009
Percentile
82.8%
Summary
A vulnerabilitiy exists in jsoup used by the desktop version of IBM Process Designer. IBM Process Designer has addressed the applicable CVE.
Vulnerability Details
CVEID:CVE-2021-37714
**DESCRIPTION:**jsoup is vulnerable to a denial of service, caused by improper input validation. By sending a specially-crafted input, a remote attacker could exploit this vulnerability to cause the HTML and XML parser to get stuck, timeout, or throw unchecked exceptions resulting in a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/207858 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| IBM Business Automation Workflow | 18.0.0.0 - 21.0.2 |
| IBM BPM Process Designer | 8.6-8.6 CF2018.03 |
| IBM BPM Process Designer | 8.5.0-8.5.7 2017.06 |
Remediation/Fixes
Install interim fix JR64213 for your version:
- IBM Business Automation Workflow 21.0.0.2
- IBM Business Automation Workflow 20.0.0.2
- IBM Business Automation Workflow 19.0.0.3
- IBM Business Process Manager 8.6.0.0 CF2018.03
- IBM Business Process Manager Advanced 8.5.7 CF2017.06
- IBM Business Process Manager Standard 8.5.7 CF2017.06
- IBM Business Process Manager Express 8.5.7 CF2017.06
Workarounds and Mitigations
None
Affected configurations
Node
ibmbusiness_process_managerMatch8.6.0.0
ORibmbusiness_process_managerMatch2018.03
ORibmbusiness_process_managerMatch8.6advanced
ORibmbusiness_process_managerMatch8.5.7.advanced
ORibmbusiness_process_managerMatch2017.06advanced
ORibmbusiness_process_managerMatch8.5.7.advanced
ORibmbusiness_process_managerMatch2017.03advanced
ORibmbusiness_process_managerMatch8.5.7.advanced
ORibmbusiness_process_managerMatch2016.12advanced
ORibmbusiness_process_managerMatch8.5.7.advanced
ORibmbusiness_process_managerMatch2016.09advanced
ORibmbusiness_process_managerMatch8.5.7.advanced
ORibmbusiness_process_managerMatch2016.06advanced
ORibmbusiness_process_managerMatch8.5.7advanced
ORibmbusiness_process_managerMatch8.5.6.2advanced
ORibmbusiness_process_managerMatch8.5.6.1advanced
ORibmbusiness_process_managerMatch8.5.6advanced
ORibmbusiness_process_managerMatch8.5.5advanced
ORibmbusiness_process_managerMatch8.5.7.standard
ORibmbusiness_process_managerMatch2017.06standard
ORibmbusiness_process_managerMatch8.5.7.standard
ORibmbusiness_process_managerMatch2017.03standard
ORibmbusiness_process_managerMatch8.5.7.standard
ORibmbusiness_process_managerMatch2016.12standard
ORibmbusiness_process_managerMatch8.5.7.standard
ORibmbusiness_process_managerMatch2016.09standard
ORibmbusiness_process_managerMatch8.5.7.standard
ORibmbusiness_process_managerMatch2016.06standard
ORibmbusiness_process_managerMatch8.5.7standard
ORibmbusiness_process_managerMatch8.5.6.2standard
ORibmbusiness_process_managerMatch8.5.6.1standard
ORibmbusiness_process_managerMatch8.5.6standard
ORibmbusiness_process_managerMatch8.5.5standard
ORibmbusiness_process_managerMatch8.6express
ORibmbusiness_process_managerMatch8.5.7.express
ORibmbusiness_process_managerMatch2017.06express
ORibmbusiness_process_managerMatch8.5.7.express
ORibmbusiness_process_managerMatch2017.03express
ORibmbusiness_process_managerMatch8.5.7.express
ORibmbusiness_process_managerMatch2016.12express
ORibmbusiness_process_managerMatch8.5.7.express
ORibmbusiness_process_managerMatch2016.09express
ORibmbusiness_process_managerMatch8.5.7.express
ORibmbusiness_process_managerMatch2016.06express
ORibmbusiness_process_managerMatch8.5.7express
ORibmbusiness_process_managerMatch8.5.6.2express
ORibmbusiness_process_managerMatch8.5.6.1express
ORibmbusiness_process_managerMatch8.5.6express
ORibmbusiness_process_managerMatch8.5.5express
ORibmbusiness_automation_workflowMatch18.0.0.1
ORibmbusiness_automation_workflowMatch18.0.0.2
ORibmbusiness_automation_workflowMatch19.0.0.1
ORibmbusiness_automation_workflowMatch19.0.0.2
ORibmbusiness_automation_workflowMatch19.0.0.3
ORibmbusiness_automation_workflowMatch20.0.0.1
ORibmbusiness_automation_workflowMatch20.0.0.2
ORibmbusiness_automation_workflowMatch21.0.1
ORibmbusiness_automation_workflowMatch21.0.2
| Vendor | Product | Version | CPE |
|---|---|---|---|
| ibm | business_process_manager | 8.6.0.0 | cpe:2.3:a:ibm:business_process_manager:8.6.0.0:*:*:*:*:*:*:* |
| ibm | business_process_manager | 2018.03 | cpe:2.3:a:ibm:business_process_manager:2018.03:*:*:*:*:*:*:* |
| ibm | business_process_manager | 8.6 | cpe:2.3:a:ibm:business_process_manager:8.6:*:*:*:advanced:*:*:* |
| ibm | business_process_manager | 8.5.7. | cpe:2.3:a:ibm:business_process_manager:8.5.7.:*:*:*:advanced:*:*:* |
| ibm | business_process_manager | 2017.06 | cpe:2.3:a:ibm:business_process_manager:2017.06:*:*:*:advanced:*:*:* |
| ibm | business_process_manager | 2017.03 | cpe:2.3:a:ibm:business_process_manager:2017.03:*:*:*:advanced:*:*:* |
| ibm | business_process_manager | 2016.12 | cpe:2.3:a:ibm:business_process_manager:2016.12:*:*:*:advanced:*:*:* |
| ibm | business_process_manager | 2016.09 | cpe:2.3:a:ibm:business_process_manager:2016.09:*:*:*:advanced:*:*:* |
| ibm | business_process_manager | 2016.06 | cpe:2.3:a:ibm:business_process_manager:2016.06:*:*:*:advanced:*:*:* |
| ibm | business_process_manager | 8.5.7 | cpe:2.3:a:ibm:business_process_manager:8.5.7:*:*:*:advanced:*:*:* |
Related
cvelist
cvelist
prion
prion
Input validation
2021-08-18 15:15:00
osv
osv
Uncaught Exception in jsoup
2021-08-23 19:42:38
jsoup-1.14.2-1.2 on GA media
2024-06-15 00:00:00
CVE-2021-37714
2021-08-18 15:15:08
nessus
nessus
SUSE SLED15 / SLES15 Security Update : jsoup, jsr-305 (SUSE-SU-2022:1265-1)
2022-04-21 00:00:00
RHEL 7 : jsoup (Unpatched Vulnerability)
2024-05-11 00:00:00
RHEL 8 : jsoup (Unpatched Vulnerability)
2024-06-03 00:00:00
ibm
ibm
redhatcve
redhatcve
CVE-2021-37714
2021-08-18 17:35:05
atlassian
atlassian
cve
cve
CVE-2021-37714
2021-08-18 15:15:08
debiancve
debiancve
CVE-2021-37714
2021-08-18 15:15:08
openvas
openvas
SUSE: Security Advisory (SUSE-SU-2022:1265-1)
2022-04-20 00:00:00
openSUSE: Security Advisory for jsoup, (SUSE-SU-2022:1265-1)
2022-05-17 00:00:00
ubuntucve
ubuntucve
CVE-2021-37714
2021-08-18 00:00:00
nvd
nvd
CVE-2021-37714
2021-08-18 15:15:08
cbl_mariner
cbl_mariner
CVE-2021-37714 affecting package jsoup 1.11.3-3
2024-10-01 09:12:12
suse
suse
Security update for jsoup, jsr-305 (important)
2022-04-19 00:00:00
veracode
veracode
Denial Of Service
2021-08-19 02:33:54
vaadin
vaadin
Denial of service in third-party component in Vaadin 7 and 8
2021-10-27 00:00:00
github
github
Uncaught Exception in jsoup
2021-08-23 19:42:38
redhat
redhat
oracle
oracle
Oracle Critical Patch Update Advisory - October 2023
2023-10-17 00:00:00
Oracle Critical Patch Update Advisory - July 2022
2022-07-19 00:00:00
Oracle Critical Patch Update Advisory - January 2022
2022-01-18 00:00:00
CVSS2
5
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS3
7.5
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
0.009
Percentile
82.8%
Related for 71AE0D5024D39B08B24A7182D24ED9015A9DA203851A438D5EF30F80E1A05C50