CVE-2018-10237

Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.

Published : 2018-04-26 21:29 Updated : 2019-06-12 17:29

4.3
CVSS Score More info
Score 4.3 / 10
4.3
Vendor Product Version URI
Google Guava 11.0 cpe:/a:google:guava:11.0
Google Guava 11.0 cpe:/a:google:guava:11.0:rc1
Google Guava 11.0.1 cpe:/a:google:guava:11.0.1
Google Guava 11.0.2 cpe:/a:google:guava:11.0.2
Google Guava 12.0 cpe:/a:google:guava:12.0
Google Guava 12.0 cpe:/a:google:guava:12.0:rc1
Google Guava 12.0 cpe:/a:google:guava:12.0:rc2
Google Guava 12.0.1 cpe:/a:google:guava:12.0.1
Google Guava 13.0 cpe:/a:google:guava:13.0
Google Guava 13.0 cpe:/a:google:guava:13.0:rc1
Google Guava 13.0 cpe:/a:google:guava:13.0:rc2
Google Guava 13.0.1 cpe:/a:google:guava:13.0.1
Google Guava 14.0 cpe:/a:google:guava:14.0
Google Guava 14.0 cpe:/a:google:guava:14.0:rc1
Google Guava 14.0 cpe:/a:google:guava:14.0:rc2
Google Guava 14.0 cpe:/a:google:guava:14.0:rc3
Google Guava 14.0.1 cpe:/a:google:guava:14.0.1
Google Guava 15.0 cpe:/a:google:guava:15.0
Google Guava 15.0 cpe:/a:google:guava:15.0:rc1
Google Guava 16.0 cpe:/a:google:guava:16.0
Google Guava 16.0 cpe:/a:google:guava:16.0:rc1
Google Guava 16.0.1 cpe:/a:google:guava:16.0.1
Google Guava 17.0 cpe:/a:google:guava:17.0
Google Guava 17.0 cpe:/a:google:guava:17.0:rc1
Google Guava 17.0 cpe:/a:google:guava:17.0:rc2
Google Guava 18.0 cpe:/a:google:guava:18.0
Google Guava 18.0 cpe:/a:google:guava:18.0:rc1
Google Guava 18.0 cpe:/a:google:guava:18.0:rc2
Google Guava 19.0 cpe:/a:google:guava:19.0
Google Guava 19.0 cpe:/a:google:guava:19.0:rc1
Google Guava 19.0 cpe:/a:google:guava:19.0:rc2
Google Guava 19.0 cpe:/a:google:guava:19.0:rc3
Google Guava 20.0 cpe:/a:google:guava:20.0
Google Guava 20.0 cpe:/a:google:guava:20.0:rc1
Google Guava 21.0 cpe:/a:google:guava:21.0
Google Guava 21.0 cpe:/a:google:guava:21.0:rc1
Google Guava 21.0 cpe:/a:google:guava:21.0:rc2
Google Guava 22.0 cpe:/a:google:guava:22.0
Google Guava 22.0 cpe:/a:google:guava:22.0:rc1
Google Guava 23.0 cpe:/a:google:guava:23.0
Google Guava 23.0 cpe:/a:google:guava:23.0:rc1
Google Guava 23.1 cpe:/a:google:guava:23.1
Google Guava 23.2 cpe:/a:google:guava:23.2
Google Guava 23.3 cpe:/a:google:guava:23.3
Google Guava 23.4 cpe:/a:google:guava:23.4
Google Guava 23.5 cpe:/a:google:guava:23.5
Google Guava 23.6 cpe:/a:google:guava:23.6
Google Guava 23.6.1 cpe:/a:google:guava:23.6.1
Google Guava 24.0 cpe:/a:google:guava:24.0
Google Guava 24.1 cpe:/a:google:guava:24.1
Redhat Jboss Enterprise Application Platform 6.0.0 cpe:/a:redhat:jboss_enterprise_application_platform:6.0.0
Redhat Jboss Enterprise Application Platform 6.4.0 cpe:/a:redhat:jboss_enterprise_application_platform:6.4.0
Redhat Jboss Enterprise Application Platform 7.1.0 cpe:/a:redhat:jboss_enterprise_application_platform:7.1.0
Redhat Openstack 13.0 cpe:/a:redhat:openstack:13.0
Redhat Satellite 6.4 cpe:/a:redhat:satellite:6.4
Redhat Virtualization 4.2 cpe:/a:redhat:virtualization:4.2
Redhat Virtualization Host 4.0 cpe:/a:redhat:virtualization_host:4.0
  1. Google (1) Search CVE
    1. Guava (28) Search CVE
      1. 11.0
      2. 11.0.1
      3. 11.0.2
      4. 12.0
      5. 12.0.1
      6. 13.0
      7. 13.0.1
      8. 14.0
      9. 14.0.1
      10. 15.0
      11. 16.0
      12. 16.0.1
      13. 17.0
      14. 18.0
      15. 19.0
      16. 20.0
      17. 21.0
      18. 22.0
      19. 23.0
      20. 23.1
      21. 23.2
      22. 23.3
      23. 23.4
      24. 23.5
      25. 23.6
      26. 23.6.1
      27. 24.0
      28. 24.1
  2. Redhat (5) Search CVE
    1. Virtualization (1) Search CVE
      1. 4.2
    2. Openstack (1) Search CVE
      1. 13.0
    3. Jboss Enterprise Application Platform (3) Search CVE
      1. 6.0.0
      2. 6.4.0
      3. 7.1.0
    4. Satellite (1) Search CVE
      1. 6.4
    5. Virtualization Host (1) Search CVE
      1. 4.0

CWE

ID Name Description Links
CWE-502 Deserialization of Untrusted Data The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid. CVE

References

Source Link
CONFIRM https://groups.google.com/d/topic/guava-announce/xqWALw4W1vs/discussion
REDHAT https://access.redhat.com/errata/RHSA-2018:2424
REDHAT https://access.redhat.com/errata/RHSA-2018:2425
REDHAT https://access.redhat.com/errata/RHSA-2018:2423
REDHAT https://access.redhat.com/errata/RHSA-2018:2428
REDHAT https://access.redhat.com/errata/RHSA-2018:2598
REDHAT https://access.redhat.com/errata/RHSA-2018:2643
REDHAT https://access.redhat.com/errata/RHSA-2018:2743
REDHAT https://access.redhat.com/errata/RHSA-2018:2741
SECTRACK http://www.securitytracker.com/id/1041707
REDHAT https://access.redhat.com/errata/RHSA-2018:2740
REDHAT https://access.redhat.com/errata/RHSA-2018:2742
REDHAT https://access.redhat.com/errata/RHSA-2018:2927
MLIST https://lists.apache.org/thread.html/cc48fe770c45a74dc3b37ed0817393e0c96701fc49bc431ed922f3cc@%3Chdfs-dev.hadoop.apache.org%3E
MLIST https://lists.apache.org/thread.html/19fa48533bc7ea1accf6b12746a74ed888ae6e49a5cf81ae4f807495@%3Ccommon-dev.hadoop.apache.org%3E
MLIST https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E
MLIST https://lists.apache.org/thread.html/3ddd79c801edd99c0978e83dbe2168ebd36fd42acfa5dac38fb03dd6@%3Cissues.activemq.apache.org%3E
MLIST https://lists.apache.org/thread.html/3d5dbdd92ac9ceaef90e40f78599f9109f2f345252e0ac9d98e7e084@%3Cgitbox.activemq.apache.org%3E
MLIST https://lists.apache.org/thread.html/33c6bccfeb7adf644d4d79894ca8f09370be6ed4b20632c2e228d085@%3Ccommits.cassandra.apache.org%3E

History of changes

Date Event
2019-06-12 17:29
2019-05-30 14:29
2019-05-16 10:29
2019-05-02 19:34
2019-04-16 18:29
2018-10-17 10:29
2018-09-25 10:29
2018-09-05 10:29
2018-08-30 10:29
2018-08-16 10:29
2018-06-13 15:16
2018-04-26 21:29

New CVE