ALT-PU-2018-1834-1
Closed vulnerabilities
Published: 2018-04-26
BDU:2020-03317
Уязвимость набора Java-библиотек Google Guava, связанная с неограниченным выделением памяти в классах AtomicDoubleArray и CompoundOrdering, позволяющая нарушителю вызвать отказ в обслуживании
Severity: MEDIUM (5.9)
Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
References:
Published: 2018-04-27
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2018-10237
Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.
Severity: MEDIUM (5.9)
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
References:
- 1041707
- 1041707
- RHSA-2018:2423
- RHSA-2018:2423
- RHSA-2018:2424
- RHSA-2018:2424
- RHSA-2018:2425
- RHSA-2018:2425
- RHSA-2018:2428
- RHSA-2018:2428
- RHSA-2018:2598
- RHSA-2018:2598
- RHSA-2018:2643
- RHSA-2018:2643
- RHSA-2018:2740
- RHSA-2018:2740
- RHSA-2018:2741
- RHSA-2018:2741
- RHSA-2018:2742
- RHSA-2018:2742
- RHSA-2018:2743
- RHSA-2018:2743
- RHSA-2018:2927
- RHSA-2018:2927
- RHSA-2019:2858
- RHSA-2019:2858
- RHSA-2019:3149
- RHSA-2019:3149
- https://groups.google.com/d/topic/guava-announce/xqWALw4W1vs/discussion
- https://groups.google.com/d/topic/guava-announce/xqWALw4W1vs/discussion
- [activemq-issues] 20190820 [jira] [Created] (AMQ-7279) Security Vulnerabilities in Libraries - jackson-databind-2.9.8.jar, tomcat-servlet-api-8.0.53.jar, tomcat-websocket-api-8.0.53.jar, zookeeper-3.4.6.jar, guava-18.0.jar, jetty-all-9.2.26.v20180806.jar, scala-library-2.11.0.jar
- [activemq-issues] 20190820 [jira] [Created] (AMQ-7279) Security Vulnerabilities in Libraries - jackson-databind-2.9.8.jar, tomcat-servlet-api-8.0.53.jar, tomcat-websocket-api-8.0.53.jar, zookeeper-3.4.6.jar, guava-18.0.jar, jetty-all-9.2.26.v20180806.jar, scala-library-2.11.0.jar
- [hadoop-common-dev] 20190401 Update guava to 27.0-jre in hadoop-project
- [hadoop-common-dev] 20190401 Update guava to 27.0-jre in hadoop-project
- [cassandra-commits] 20190612 [jira] [Assigned] (CASSANDRA-14760) CVE-2018-10237 Security vulnerability in 3.11.3
- [cassandra-commits] 20190612 [jira] [Assigned] (CASSANDRA-14760) CVE-2018-10237 Security vulnerability in 3.11.3
- [activemq-gitbox] 20190530 [GitHub] [activemq-artemis] brusdev opened a new pull request #2687: ARTEMIS-2359 Upgrade to Guava 24.1
- [activemq-gitbox] 20190530 [GitHub] [activemq-artemis] brusdev opened a new pull request #2687: ARTEMIS-2359 Upgrade to Guava 24.1
- [activemq-issues] 20190516 [jira] [Created] (AMQ-7208) Security Issue related to Guava 18.0
- [activemq-issues] 20190516 [jira] [Created] (AMQ-7208) Security Issue related to Guava 18.0
- [drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities
- [drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities
- [drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities
- [drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities
- [hadoop-hdfs-dev] 20190401 Update guava to 27.0-jre in hadoop-project
- [hadoop-hdfs-dev] 20190401 Update guava to 27.0-jre in hadoop-project
- [drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities
- [drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities
- [pulsar-commits] 20190416 [GitHub] [pulsar] one70six opened a new issue #4057: Security Vulnerabilities - Black Duck Scan - Pulsar v.2.3.1
- [pulsar-commits] 20190416 [GitHub] [pulsar] one70six opened a new issue #4057: Security Vulnerabilities - Black Duck Scan - Pulsar v.2.3.1
- [flink-dev] 20200806 Dependency vulnerabilities with Apache Flink 1.10.1 version
- [flink-dev] 20200806 Dependency vulnerabilities with Apache Flink 1.10.1 version
- [flink-user] 20200806 Dependency vulnerabilities with Apache Flink 1.10.1 version
- [flink-user] 20200806 Dependency vulnerabilities with Apache Flink 1.10.1 version
- [lucene-issues] 20201022 [jira] [Resolved] (SOLR-14960) Solr-clustering is bringing in CVE-2018-10237 vulnerable guava
- [lucene-issues] 20201022 [jira] [Resolved] (SOLR-14960) Solr-clustering is bringing in CVE-2018-10237 vulnerable guava
- [flink-issues] 20210212 [jira] [Closed] (FLINK-18841) CVE-2018-10237 and CWE-400 occurred in flink dependency
- [flink-issues] 20210212 [jira] [Closed] (FLINK-18841) CVE-2018-10237 and CWE-400 occurred in flink dependency
- [cxf-dev] 20200206 [GitHub] [cxf] davidkarlsen opened a new pull request #638: upgrade guava, CVE-2018-10237
- [cxf-dev] 20200206 [GitHub] [cxf] davidkarlsen opened a new pull request #638: upgrade guava, CVE-2018-10237
- [cxf-dev] 20200420 [GitHub] [cxf] andrei-ivanov commented on a change in pull request #638: upgrade guava, CVE-2018-10237
- [cxf-dev] 20200420 [GitHub] [cxf] andrei-ivanov commented on a change in pull request #638: upgrade guava, CVE-2018-10237
- [storm-issues] 20210315 [jira] [Created] (STORM-3754) Upgrade Guava version because of security vulnerability
- [storm-issues] 20210315 [jira] [Created] (STORM-3754) Upgrade Guava version because of security vulnerability
- [samza-commits] 20210310 [GitHub] [samza] Telesia opened a new pull request #1471: SAMZA-2630: Upgrade dependencies for security fixes
- [samza-commits] 20210310 [GitHub] [samza] Telesia opened a new pull request #1471: SAMZA-2630: Upgrade dependencies for security fixes
- [cxf-dev] 20200420 [GitHub] [cxf] reta commented on a change in pull request #638: upgrade guava, CVE-2018-10237
- [cxf-dev] 20200420 [GitHub] [cxf] reta commented on a change in pull request #638: upgrade guava, CVE-2018-10237
- [pulsar-commits] 20210406 [GitHub] [pulsar] lhotari opened a new pull request #10149: Upgrade jclouds to 2.3.0 to fix security vulnerabilities
- [pulsar-commits] 20210406 [GitHub] [pulsar] lhotari opened a new pull request #10149: Upgrade jclouds to 2.3.0 to fix security vulnerabilities
- [syncope-dev] 20200423 Re: Time to cut 2.1.6 / 2.0.15?
- [syncope-dev] 20200423 Re: Time to cut 2.1.6 / 2.0.15?
- [flink-dev] 20200806 [jira] [Created] (FLINK-18841) CVE-2018-10237 and CWE-400 occurred in flink dependency
- [flink-dev] 20200806 [jira] [Created] (FLINK-18841) CVE-2018-10237 and CWE-400 occurred in flink dependency
- [maven-issues] 20210122 [GitHub] [maven-indexer] akurtakov opened a new pull request #75: Remove guava dependency from indexer-core
- [maven-issues] 20210122 [GitHub] [maven-indexer] akurtakov opened a new pull request #75: Remove guava dependency from indexer-core
- [cxf-dev] 20200206 [GitHub] [cxf] reta commented on a change in pull request #638: upgrade guava, CVE-2018-10237
- [cxf-dev] 20200206 [GitHub] [cxf] reta commented on a change in pull request #638: upgrade guava, CVE-2018-10237
- [kafka-users] 20200413 CVEs for the dependency software guava and rocksdbjni of Kafka
- [kafka-users] 20200413 CVEs for the dependency software guava and rocksdbjni of Kafka
- [lucene-issues] 20201022 [jira] [Created] (SOLR-14960) Solr-clustering is bringing in CVE-2018-10237 vulnerable guava
- [lucene-issues] 20201022 [jira] [Created] (SOLR-14960) Solr-clustering is bringing in CVE-2018-10237 vulnerable guava
- [flink-issues] 20200814 [jira] [Commented] (FLINK-18841) CVE-2018-10237 and CWE-400 occurred in flink dependency
- [flink-issues] 20200814 [jira] [Commented] (FLINK-18841) CVE-2018-10237 and CWE-400 occurred in flink dependency
- [lucene-issues] 20201022 [jira] [Updated] (SOLR-14960) Solr-clustering is bringing in CVE-2018-10237 vulnerable guava
- [lucene-issues] 20201022 [jira] [Updated] (SOLR-14960) Solr-clustering is bringing in CVE-2018-10237 vulnerable guava
- [cxf-dev] 20200211 [GitHub] [cxf] coheigea commented on a change in pull request #638: upgrade guava, CVE-2018-10237
- [cxf-dev] 20200211 [GitHub] [cxf] coheigea commented on a change in pull request #638: upgrade guava, CVE-2018-10237
- [hadoop-common-dev] 20200623 Update guava to 27.0-jre in hadoop branch-2.10
- [hadoop-common-dev] 20200623 Update guava to 27.0-jre in hadoop branch-2.10
- [arrow-github] 20210610 [GitHub] [arrow] projjal opened a new pull request #10501: ARROW-13032: Update guava version
- [arrow-github] 20210610 [GitHub] [arrow] projjal opened a new pull request #10501: ARROW-13032: Update guava version
- [cxf-dev] 20200420 [GitHub] [cxf] coheigea commented on a change in pull request #638: upgrade guava, CVE-2018-10237
- [cxf-dev] 20200420 [GitHub] [cxf] coheigea commented on a change in pull request #638: upgrade guava, CVE-2018-10237
- [flink-issues] 20200806 [jira] [Created] (FLINK-18841) CVE-2018-10237 and CWE-400 occurred in flink dependency
- [flink-issues] 20200806 [jira] [Created] (FLINK-18841) CVE-2018-10237 and CWE-400 occurred in flink dependency
- https://security.netapp.com/advisory/ntap-20220629-0008/
- https://security.netapp.com/advisory/ntap-20220629-0008/
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.oracle.com/security-alerts/cpuoct2021.html