Security Bulletin: IBM Security Guardium is affected by a jsoup vulnerability (CVE-2021-37714)

2022-11-0820:07:11

www.ibm.com

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.006 Low

EPSS

Percentile

79.0%

JSON

Summary

IBM Security Guardium has fixed this vulnerability.

Vulnerability Details

CVEID:CVE-2021-37714
**DESCRIPTION:**jsoup is vulnerable to a denial of service, caused by improper input validation. By sending a specially-crafted input, a remote attacker could exploit this vulnerability to cause the HTML and XML parser to get stuck, timeout, or throw unchecked exceptions resulting in a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/207858 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Security Guardium	11.0
IBM Security Guardium	11.1
IBM Security Guardium	11.2
IBM Security Guardium	11.3
IBM Security Guardium	11.4

Remediation/Fixes

IBM encourages customers to update their systems promptly.

Product	Versions	Fix
IBM Security Guardium	11.0	http://www.ibm.com/support/fixcentral/swg/quickorder?parent=IBM%20Security&product=ibm/Information+Management/InfoSphere+Guardium&release=11.0&platform=Linux&function=fixId&fixids=SqlGuard_11.0p45_Bundle_May-03-2022&includeSupersedes=0&source=fc
IBM Security Guardium	11.1	http://www.ibm.com/support/fixcentral/swg/quickorder?parent=IBM%20Security&product=ibm/Information+Management/InfoSphere+Guardium&release=11.0&platform=Linux&function=fixId&fixids=SqlGuard_11.0p160_Bundle_Mar-23-2022&includeSupersedes=0&source=fc
IBM Security Guardium	11.2	http://www.ibm.com/support/fixcentral/swg/quickorder?parent=IBM%20Security&product=ibm/Information+Management/InfoSphere+Guardium&release=11.0&platform=Linux&function=fixId&fixids=SqlGuard_11.0p277_Bundle_Oct-26-2022&includeSupersedes=0&source=fc
IBM Security Guardium	11.3	http://www.ibm.com/support/fixcentral/swg/quickorder?parent=IBM%20Security&product=ibm/Information+Management/InfoSphere+Guardium&release=11.0&platform=Linux&function=fixId&fixids=SqlGuard_11.0p360_Bundle_Mar-24-2022&includeSupersedes=0&source=fc
IBM Security Guardium	11.4	http://www.ibm.com/support/fixcentral/swg/quickorder?parent=IBM%20Security&product=ibm/Information+Management/InfoSphere+Guardium&release=11.0&platform=Linux&function=fixId&fixids=SqlGuard_11.0p430_Bundle_Apr-28-2022&includeSupersedes=0&source=fc

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm security guardiumeq11.0
ibm security guardiumeq11.1
ibm security guardiumeq11.2
ibm security guardiumeq11.3
ibm security guardiumeq11.4