CVE-2018-10237 — MEDIUM (5.9)

Q: How severe is CVE-2018-10237?

CVE-2018-10237 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2018-10237?

Check the references section above for vendor advisories and patch information. Affected products include: Google Guava, Redhat Openshift Container Platform, Redhat Openstack, Redhat Satellite, Redhat Satellite Capsule.

Vulnerability Description

Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.

CVSS Score

5.9

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Google	Guava	>= 11.0, < 24.1.1
Redhat	Openshift Container Platform	3.11
Redhat	Openstack	13
Redhat	Satellite	6.4
Redhat	Satellite Capsule	6.4
Redhat	Virtualization	4.2
Redhat	Virtualization Host	4.0
Redhat	Jboss Enterprise Application Platform	6.0.0
Redhat	Enterprise Linux	7.0
Oracle	Banking Payments	>= 14.1.0, <= 14.4.0
Oracle	Communications Ip Service Activator	7.3.0
Oracle	Customer Management And Segmentation Foundation	18.0
Oracle	Database Server	12.2.0.1
Oracle	Flexcube Investor Servicing	12.1.0
Oracle	Flexcube Private Banking	12.0.0
Oracle	Retail Integration Bus	15.0
Oracle	Retail Xstore Point Of Service	7.1
Oracle	Weblogic Server	12.2.1.3.0

Related Weaknesses (CWE)

CWE-770

References

http://www.securitytracker.com/id/1041707Broken Link
https://access.redhat.com/errata/RHSA-2018:2423Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2424Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2425Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2428Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2598Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2643Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2740Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2741Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2742Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2743Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2927Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:2858Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3149Third Party Advisory
https://groups.google.com/d/topic/guava-announce/xqWALw4W1vs/discussionVendor Advisory

FAQ

What is CVE-2018-10237?

CVE-2018-10237 is a vulnerability with a CVSS score of 5.9 (MEDIUM). Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize att...

How severe is CVE-2018-10237?

CVE-2018-10237 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2018-10237?

Check the references section above for vendor advisories and patch information. Affected products include: Google Guava, Redhat Openshift Container Platform, Redhat Openstack, Redhat Satellite, Redhat Satellite Capsule.