4.3
CVSSv2

CVE-2018-10237

Published: 26/04/2018 Updated: 04/08/2021
CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6
CVSS v3 Base Score: 5.9 | Impact Score: 3.6 | Exploitability Score: 2.2
VMScore: 385
Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P

Vulnerability Summary

Unbounded memory allocation in Google Guava 11.0 up to and including 24.x prior to 24.1.1 allows remote malicious users to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.

Most Upvoted Vulmon Research Post

There is no Researcher post for this vulnerability
Would you like to share something about it? Sign up now to share your knowledge with the community.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

google guava

redhat openshift container platform 3.11

redhat openstack 13

redhat satellite 6.4

redhat satellite capsule 6.4

redhat virtualization 4.2

redhat virtualization host 4.0

redhat jboss_enterprise_application_platform 6.0.0

redhat jboss_enterprise_application_platform 6.4.0

redhat jboss_enterprise_application_platform 7.1.0

redhat openshift_container_platform 4.1

redhat virtualization 4.0

redhat virtualization_host 4.0

oracle banking payments

oracle communications ip service activator 7.3.0

oracle communications ip service activator 7.4.0

oracle customer management and segmentation foundation 18.0

oracle database server 12.2.0.1

oracle database server 18c

oracle database server 19c

oracle flexcube investor servicing 12.1.0

oracle flexcube investor servicing 12.3.0

oracle flexcube investor servicing 12.4.0

oracle flexcube investor servicing 14.0.0

oracle retail xstore point of service 15.0

oracle flexcube private banking 12.1.0

oracle retail xstore point of service 7.1

oracle flexcube private banking 12.0.0

oracle retail integration bus 15.0

oracle weblogic server 12.2.1.3.0

oracle retail xstore point of service 16.0

oracle retail integration bus 16.0

oracle flexcube investor servicing 14.1.0

oracle retail xstore point of service 17.0

Vendor Advisories

Synopsis Moderate: opendaylight security and bug fix update Type/Severity Security Advisory: Moderate Topic An update for OpenDaylight is now available for Red Hat OpenStack Platform130 (Queens)Red Hat Product Security has rated this update as having a security impactof Moderate A Common Vulnerability Sc ...
Synopsis Important: Red Hat JBoss Enterprise Application Platform 6421 security update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat JBoss Enterprise Application Platform 64 for Red Hat Enterprise Linux 6Red Hat Product Security has rated this update as having a ...
Synopsis Important: Red Hat JBoss Enterprise Application Platform 6421 security update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat JBoss Enterprise Application Platform 64 for Red Hat Enterprise Linux 7Red Hat Product Security has rated this update as having a ...
Synopsis Important: Red Hat JBoss Enterprise Application Platform 714 on RHEL 6 security update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat JBoss Enterprise Application Platform 71 for Red Hat Enterprise Linux 6Red Hat Product Security has rated this update as ...
Synopsis Important: EAP Continuous Delivery Technical Preview Release 13 security update Type/Severity Security Advisory: Important Topic This is a security update for JBoss EAP Continuous Delivery 130Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnera ...
Synopsis Important: Red Hat JBoss Enterprise Application Platform 714 on RHEL7 security update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat JBoss Enterprise Application Platform 71 for Red Hat Enterprise Linux 7Red Hat Product Security has rated this update as ...
Synopsis Important: Red Hat JBoss Enterprise Application Platform 6421 security update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat JBoss Enterprise Application Platform 64 for Red Hat Enterprise LinuxRed Hat Product Security has rated this update as having a s ...
Synopsis Important: Red Hat JBoss Enterprise Application Platform 6421 security update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat JBoss Enterprise Application Platform 64 for Red Hat Enterprise Linux 5Red Hat Product Security has rated this update as having a ...
Synopsis Important: Red Hat JBoss Enterprise Application Platform 71 security update Type/Severity Security Advisory: Important Topic A security update is now available for Red Hat JBoss Enterprise Application Platform from the Customer PortalRed Hat Product Security has rated this update as having a secu ...
Synopsis Important: rhvm-appliance security update Type/Severity Security Advisory: Important Topic An update for rhvm-appliance is now available for Red Hat Virtualization 4 for Red Hat Enterprise Linux 7Red Hat Product Security has rated this update as having a security impact of Important A Common Vuln ...
Synopsis Important: Red Hat Single Sign-On 724 security update Type/Severity Security Advisory: Important Topic A security update is now available for Red Hat Single Sign-On 72 from theCustomer PortalRed Hat Product Security has rated this update as having a security impact of Important A Common Vulner ...
A vulnerability was found in Guava where the AtomicDoubleArray and CompoundOrdering classes were found to allocate memory based on size fields sent by the client without validation A crafted message could cause the server to consume all available memory or crash leading to a denial of service ...
There is a potential denial of service with the Google Guava library that is used in WebSphere Application Server Liberty which in turn is used by IBM Watson™ Compare and Comply on IBM Cloud Private ...
There is a potential denial of service with the Google Guava library that is used in Liberty for Java ...
IBM Algo Credit Manager has addressed a denial of service vulnerability in WebSphere Liberty that was caused by the usage of Google Guava ...
IBM Cúram Social Program Management uses the Google Guava library indirectly through Google Guice In versions of Google Guava library before version 2411, an unbounded memory allocation vulnerability enables remote attackers to conduct denial of service attacks against servers that depend on the library, and to deserialize attacker-provided dat ...
There is a potential denial of service with the Google Guava library that is used in WebSphere Application Server This can affect IBM Spectrum Control (formerly Tivoli Storage Productivity Center) ...
There is a vulnerability in IBM WebSphere Application Server, used by IBM Spectrum Scale This vulnerability may allow a remote attacker to cause a denial of service condition ...
There is a vulnerability in IBM WebSphere Application Server, used by IBM Spectrum Scale This issue allow a remote attacker to cause a denial of service condition ...
InfoSphere Data Replication has addressed the following vulnerability: CVE-2018-10237 (Google Guava is vulnerable to a denial of service, caused by improper eager allocation checks in the AtomicDoubleArray and CompoundOrdering class By sending a specially-crafted data, a remote attacker could exploit this vulnerability to cause a denial of service ...
There is a vulnerability in Google Guava used by IBM® Cloud App Management V2018 IBM® Cloud App Management has addressed the applicable CVE in a later version ...
There is a potential denial of service with the Google Guava library that is used in WebSphere Application Server that affects IBM Security AppScan Enterprise ...
There is a potential denial of service with the Google Guava library that is used in WebSphere Application Server ...
Synopsis Important: Satellite 64 security, bug fix, and enhancement update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat Satellite 64 for RHEL 7Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring ...
Synopsis Important: OpenShift Container Platform logging-elasticsearch5-container security update Type/Severity Security Advisory: Important Topic An update for logging-elasticsearch5-container is now available for Red Hat OpenShift Container Platform 311Red Hat Product Security has rated this update as h ...
Synopsis Important: OpenShift Container Platform 4118 logging-elasticsearch5 security update Type/Severity Security Advisory: Important Topic An update for logging-elasticsearch5-container is now available for Red Hat OpenShift Container Platform 41Red Hat Product Security has rated this update as havin ...
There are multiple vulnerabilities in IBM® Runtine Java™ Version 8 and Liberty used by IBM BigFix Remote Control Version 914 ...
Multiple Vulnerabilities in Watson Openscale (Liberty, Java, nodejs) ...
There are multiple security vulnerabilities that affect the IBM WebSphere Application Server in the IBM Cloud There is a timing window where there could be a privilege escalation vulnerability in WebSphere Application Server There is a potential remote code execution vulnerability in WebSphere Application Server There is a potential cross-site r ...
This interim fix provides instructions on upgrading third parity libraries in IBM Spectrum Conductor 250 in order to address security vulnerabilities CVE-2015-9251, CVE-2019-11358, CVE-2020-11022, CVE-2020-11023, CVE-2019-17359, CVE-2019-8331, CVE-2018-1000632, CVE-2018-10237, CVE-2020-13956, CVE-2020-9488, CVE-2017-18214, CVE-2020-11979, CVE-202 ...
There are multiple vulnerabilities identified in IBM Guardium Data Encryption (GDE) These vulnerabilities have been fixed in GDE 4004 Please apply the latest version for the fixes ...
This interim fix provides instructions on upgrading third parity libraries in IBM Spectrum Symphony 731 in order to address security vulnerabilities CVE-2015-6420, CVE-2019-1311, CVE-2015-4852, CVE-2017-15708, CVE-2015-7501, CVE-2017-18214, CVE-2016-1000027, CVE-2019-8331, CVE-2016-7103, CVE-2015-9251, CVE-2019-11358, CVE-2020-11022, CVE-2020-110 ...

Github Repositories

Modern plugin framework for TeamSpeak 3 servers – in Java.

JeakBot TeamSpeak 3 Plugin Framework TS3 Servers on the next level! The JeakBot-Framework connects to the TeamSpeak server using the TS3 server query interface Java plugins can use the API to interact with the TeamSpeak server using the JeakBot-API Plugins can be programmed in a way that developers may be familiar from the Sponge plugin API for Minecraft as the projects idea

Demo project to show different ways of fixing vulnerabilities found in Maven based java project.

dependency-demo-app Demo project to show different ways of fixing vulnerabilities found in Maven based java project Run Dependency check with following Command mvn orgowasp:dependency-check-maven:check The result will be generated at target/dependency-check-reporthtml Different kinds of vulnerabilities and ways to fix them Vulnerability Category Vulnerable dependenc

An analysis on open-source Android apps intended to learn if they are harmed by vulnerable dependencies

OSS Android apps and insecure dependencies An experiment intended to demonstrate the value you can get from gradle-bodyguard Also, a small and independent security study about Android open-source apps, by a curious Software Engineer Goals In order to share with you why I wrote gradle-bodyguard, I chose 13 open-source Android apps - from several players in the industry - and o

Vulnerable dummy-application for checking different SCA tools

Приложение для обзора технических средств по компонентному анализу Приложение разработано в рамках разработки дипломной работы на тему "Аналитическое исследование программной защиты приложений от ата

Compiled dataset of Java deserialization CVEs

Java-Deserialization-CVEs This is a dataset of CVEs related to Java Deserialization Since existing CVE databases do not allow for granular searches by vulnerability type and language, this list was compiled by manually searching the NIST NVD CVE database with different queries If you notice any discrepancies, contributions are very welcome! CVE ID Year CVSS 3/31 risk CV

References

CWE-770https://groups.google.com/d/topic/guava-announce/xqWALw4W1vs/discussionhttps://access.redhat.com/errata/RHSA-2018:2428https://access.redhat.com/errata/RHSA-2018:2425https://access.redhat.com/errata/RHSA-2018:2424https://access.redhat.com/errata/RHSA-2018:2423https://access.redhat.com/errata/RHSA-2018:2598https://access.redhat.com/errata/RHSA-2018:2643https://access.redhat.com/errata/RHSA-2018:2743https://access.redhat.com/errata/RHSA-2018:2742https://access.redhat.com/errata/RHSA-2018:2741https://access.redhat.com/errata/RHSA-2018:2740http://www.securitytracker.com/id/1041707https://access.redhat.com/errata/RHSA-2018:2927https://lists.apache.org/thread.html/cc48fe770c45a74dc3b37ed0817393e0c96701fc49bc431ed922f3cc@%3Chdfs-dev.hadoop.apache.org%3Ehttps://lists.apache.org/thread.html/19fa48533bc7ea1accf6b12746a74ed888ae6e49a5cf81ae4f807495@%3Ccommon-dev.hadoop.apache.org%3Ehttps://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3Ehttps://lists.apache.org/thread.html/3ddd79c801edd99c0978e83dbe2168ebd36fd42acfa5dac38fb03dd6@%3Cissues.activemq.apache.org%3Ehttps://lists.apache.org/thread.html/3d5dbdd92ac9ceaef90e40f78599f9109f2f345252e0ac9d98e7e084@%3Cgitbox.activemq.apache.org%3Ehttps://lists.apache.org/thread.html/33c6bccfeb7adf644d4d79894ca8f09370be6ed4b20632c2e228d085@%3Ccommits.cassandra.apache.org%3Ehttps://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3Ehttps://access.redhat.com/errata/RHSA-2019:2858https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3Ehttps://access.redhat.com/errata/RHSA-2019:3149https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3Ehttps://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3Ehttps://lists.apache.org/thread.html/r27eb79a87a760335226dbfa6a7b7bffea539a535f8e80c41e482106d@%3Cdev.cxf.apache.org%3Ehttps://lists.apache.org/thread.html/r95799427b335807a4c54776908125c3e66597b65845ae50096d9278a@%3Cdev.cxf.apache.org%3Ehttps://lists.apache.org/thread.html/rc78f6e84f82cc662860e96526d8ab969f34dbe12dc560e22d9d147a3@%3Cdev.cxf.apache.org%3Ehttps://lists.apache.org/thread.html/ra0adb9653c7de9539b93cc8434143b655f753b9f60580ff260becb2b@%3Cusers.kafka.apache.org%3Ehttps://www.oracle.com/security-alerts/cpuapr2020.htmlhttps://lists.apache.org/thread.html/rd0c8ec6e044aa2958dd0549ebf8ecead7f5968c9474ba73a504161b2@%3Cdev.cxf.apache.org%3Ehttps://lists.apache.org/thread.html/r38e2ab87528d3c904e7fac496e8fd766b9277656ff95b97d6b6b6dcd@%3Cdev.cxf.apache.org%3Ehttps://lists.apache.org/thread.html/r2ea4e5e5aa8ad73b001a466c582899620961f47d77a40af712c1fdf9@%3Cdev.cxf.apache.org%3Ehttps://lists.apache.org/thread.html/r43491b25b2e5c368c34b106a82eff910a5cea3e90de82ad75cc16540@%3Cdev.syncope.apache.org%3Ehttps://lists.apache.org/thread.html/rc8467f357b943ceaa86f289f8bc1a5d1c7955b75d3bac1426f2d4ac1@%3Ccommon-dev.hadoop.apache.org%3Ehttps://www.oracle.com/security-alerts/cpujul2020.htmlhttps://lists.apache.org/thread.html/r02e39d7beb32eebcdbb4b516e95f67d71c90d5d462b26f4078d21eeb@%3Cuser.flink.apache.org%3Ehttps://lists.apache.org/thread.html/r02e39d7beb32eebcdbb4b516e95f67d71c90d5d462b26f4078d21eeb@%3Cdev.flink.apache.org%3Ehttps://lists.apache.org/thread.html/rdc56c15693c236e31e1e95f847b8e5e74fc0a05741d47488e7fc8c45@%3Cissues.flink.apache.org%3Ehttps://lists.apache.org/thread.html/r50fc0bcc734dd82e691d36d209258683141bfc0083739a77e56ad92d@%3Cdev.flink.apache.org%3Ehttps://lists.apache.org/thread.html/ra8906723927aef2a599398c238eacfc845b74d812e0093ec2fc70a7d@%3Cissues.flink.apache.org%3Ehttps://lists.apache.org/thread.html/ra4f44016926dcb034b3b230280a18102062f94ae55b8a31bb92fed84@%3Cissues.lucene.apache.org%3Ehttps://lists.apache.org/thread.html/rb3da574c34bc6bd37972d2266af3093b90d7e437460423c24f477919@%3Cissues.lucene.apache.org%3Ehttps://lists.apache.org/thread.html/r223bc776a077d0795786c38cbc6e7dd808fce1a9161b00ba9c0a5d55@%3Cissues.lucene.apache.org%3Ehttps://www.oracle.com/security-alerts/cpujan2021.htmlhttps://lists.apache.org/thread.html/r841c5e14e1b55281523ebcde661ece00b38a0569e00ef5e12bd5f6ba@%3Cissues.maven.apache.org%3Ehttps://lists.apache.org/thread.html/r22c8173b804cd4a420c43064ba4e363d0022aa421008b1989f7354d4@%3Cissues.flink.apache.org%3Ehttps://lists.apache.org/thread.html/r352e40ca9874d1beb4ad95403792adca7eb295e6bc3bd7b65fabcc21@%3Ccommits.samza.apache.org%3Ehttps://lists.apache.org/thread.html/r30e7d7b6bfa630dacc41649a0e96dad75165d50474c1241068aa0f94@%3Cissues.storm.apache.org%3Ehttps://lists.apache.org/thread.html/r3c3b33ee5bef0c67391d27a97cbfd89d44f328cf072b601b58d4e748@%3Ccommits.pulsar.apache.org%3Ehttps://lists.apache.org/thread.html/rd01f5ff0164c468ec7abc96ff7646cea3cce6378da2e4aa29c6bcb95@%3Cgithub.arrow.apache.org%3Ehttps://access.redhat.com/errata/RHSA-2018:2598https://github.com/jeakfrw/core-frameworkhttps://tools.cisco.com/security/center/viewAlert.x?alertId=58175https://nvd.nist.gov