Bug 1995259 (CVE-2021-37714)

Summary: CVE-2021-37714 jsoup: Crafted input may cause the jsoup HTML and XML parser to get stuck
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aboyko, ahenning, aileenc, akoufoud, alazarot, almorale, anstephe, asoldano, atangrin, ataylor, avibelli, bbaranow, bgeorges, bibryam, bmaxwell, brian.stansberry, cdewolf, chazlett, clement.escoffier, dandread, darran.lofthouse, dbecker, dkreling, dosoudil, drieden, eleandro, etirelli, fjuma, ggaughan, gmalinko, gsmet, gvarsami, hamadhan, hbraun, hhorak, ibek, iweiss, janstey, jaromir.capik, java-maint-sig, java-sig-commits, jcoleman, jjoyce, jnethert, jochrist, jolee, jorton, jpallich, jperkins, jrokos, jross, jschatte, jschluet, jstastny, jwon, kaycoth, krathod, kverlaen, kwills, ldimaggi, lgao, lhh, lpeer, lthon, mburns, mizdebsk, mkolesni, mnovotny, msochure, msvehla, mszynkie, nwallace, pantinor, pdrozd, peholase, pgallagh, pjindal, pmackay, probinso, pskopek, rguimara, rrajasek, rruss, rstancel, rsvoboda, rwagner, sbiarozk, sclewis, scohen, sdouglas, sguilhen, slinaber, smaestri, sthorger, tcunning, tkirby, tom.jenkinson, tzimanyi, yborgess
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: jsoup 1.14.2 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-12-15 15:58:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1995826, 1998225, 1998226, 1998227, 1998228, 1998229, 1998230    
Bug Blocks: 1995261, 2014197    

Description Pedro Sampaio 2021-08-18 17:10:50 UTC 
jsoup is a Java library for working with HTML. Those using jsoup versions prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack. The issue is patched in version 1.14.2. There are a few available workarounds. Users may rate limit input parsing, limit the size of inputs based on system resources, and/or implement thread watchdogs to cap and timeout parse runtimes.

References:

https://jsoup.org/news/release-1.14.1
https://jsoup.org/news/release-1.14.2
https://github.com/jhy/jsoup/security/advisories/GHSA-m72m-mhq2-9p6c
Comment 15 errata-xmlrpc 2021-11-15 17:06:51 UTC 
This issue has been addressed in the following products:

  EAP 7.4.2 release

Via RHSA-2021:4679 https://access.redhat.com/errata/RHSA-2021:4679
Comment 16 errata-xmlrpc 2021-11-15 17:16:43 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7

Via RHSA-2021:4676 https://access.redhat.com/errata/RHSA-2021:4676
Comment 17 errata-xmlrpc 2021-11-15 17:17:02 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8

Via RHSA-2021:4677 https://access.redhat.com/errata/RHSA-2021:4677
Comment 18 errata-xmlrpc 2021-12-14 21:35:54 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.10

Via RHSA-2021:5134 https://access.redhat.com/errata/RHSA-2021:5134
Comment 19 errata-xmlrpc 2021-12-15 14:35:31 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7

Via RHSA-2021:5150 https://access.redhat.com/errata/RHSA-2021:5150
Comment 20 errata-xmlrpc 2021-12-15 14:41:05 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8

Via RHSA-2021:5151 https://access.redhat.com/errata/RHSA-2021:5151
Comment 21 errata-xmlrpc 2021-12-15 14:42:52 UTC 
This issue has been addressed in the following products:

  EAP 7.3.10 GA

Via RHSA-2021:5154 https://access.redhat.com/errata/RHSA-2021:5154
Comment 22 errata-xmlrpc 2021-12-15 14:50:00 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6

Via RHSA-2021:5149 https://access.redhat.com/errata/RHSA-2021:5149
Comment 23 Product Security DevOps Team 2021-12-15 15:58:01 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-37714
Comment 24 errata-xmlrpc 2021-12-15 19:09:01 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.4.10

Via RHSA-2021:5170 https://access.redhat.com/errata/RHSA-2021:5170
Comment 25 errata-xmlrpc 2022-01-17 12:03:08 UTC 
This issue has been addressed in the following products:

  Red Hat EAP-XP 2 via EAP 7.3.x base

Via RHSA-2022:0146 https://access.redhat.com/errata/RHSA-2022:0146
Comment 26 errata-xmlrpc 2022-02-21 18:22:59 UTC 
This issue has been addressed in the following products:

  Red Hat build of Quarkus 2.2.5

Via RHSA-2022:0589 https://access.redhat.com/errata/RHSA-2022:0589
Comment 27 errata-xmlrpc 2022-07-19 13:40:22 UTC 
This issue has been addressed in the following products:

  RHINT Camel-Q 2.7

Via RHSA-2022:5606 https://access.redhat.com/errata/RHSA-2022:5606
Comment 28 errata-xmlrpc 2022-08-04 04:47:04 UTC 
This issue has been addressed in the following products:

  RHPAM 7.13.0 async

Via RHSA-2022:5903 https://access.redhat.com/errata/RHSA-2022:5903
Comment 29 errata-xmlrpc 2022-09-09 07:12:45 UTC 
This issue has been addressed in the following products:

  RHAF Camel-K 1.8

Via RHSA-2022:6407 https://access.redhat.com/errata/RHSA-2022:6407
Comment 31 errata-xmlrpc 2025-04-28 00:18:34 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7

Via RHSA-2025:4226 https://access.redhat.com/errata/RHSA-2025:4226