Cyber Resilience

CVE-2021-37714

HighDDoS

Published: 18 August 2021

Published
18 August 2021
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0391 88.6th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-37714 is a high-severity Uncaught Exception (CWE-248) vulnerability in Oracle Business Process Management Suite. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 11.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

jsoup is a Java library for working with HTML. Those using jsoup versions prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may…

more

supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack. The issue is patched in version 1.14.2. There are a few available workarounds. Users may rate limit input parsing, limit the size of inputs based on system resources, and/or implement thread watchdogs to cap and timeout parse runtimes.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

jsoup
jsoup
≤ 1.14.2
quarkus
quarkus
≤ 2.2.3
oracle
banking trade finance
14.5
oracle
banking treasury management
14.5
oracle
business process management suite
12.2.1.3.0, 12.2.1.4.0
oracle
flexcube universal banking
14.5 · 14.0.0 — 14.3.0
oracle
hospitality token proxy service
19.2
oracle
peoplesoft enterprise peopletools
8.58, 8.59
oracle
primavera unifier
20.12, 21.12
oracle
retail customer management and segmentation foundation
17.0 — 19.0
+6 more product configuration(s) — see NVD for full list

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-835

Enables transfer to alternate site if an infinite loop at the primary renders processing unavailable.

addresses: CWE-248

Prevents abrupt termination from uncaught exceptions by requiring a defined, preserved-state failure mode.

addresses: CWE-835

Detects and mitigates infinite loops that produce sustained resource consumption.

addresses: CWE-248

Requires pre-defined safe responses for uncaught exceptions so they do not result in undefined or insecure program termination.

References