CVE-2018-10237

Impact:
Moderate
Public Date:
2018-04-25
CWE:
CWE-119
Bugzilla:
1573391: CVE-2018-10237 guava: Unbounded memory allocation in AtomicDoubleArray and CompoundOrdering classes allow remote attackers to cause a denial of service
A vulnerability was found in Guava where the AtomicDoubleArray and CompoundOrdering classes were found to allocate memory based on size fields sent by the client without validation. A crafted message could cause the server to consume all available memory or crash leading to a denial of service.

Find out more about CVE-2018-10237 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

Red Hat Product Security has rated this issue as having a security impact of Moderate, and a future update may address this flaw.

CVSS v3 metrics

CVSS3 Base Score 5.9
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality None
Integrity Impact None
Availability Impact High

Red Hat Security Errata

Platform Errata Release Date
Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts (rhvm-appliance) RHSA-2018:2643 2018-09-04
Red Hat JBoss Enterprise Application Platform 6 for RHEL 5 Server RHSA-2018:2742 2018-09-24
Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server RHSA-2018:2423 2018-08-15
Red Hat JBoss Enterprise Application Platform 6.3 for RHEL 7 Server RHSA-2018:2741 2018-09-24
Red Hat Satellite 6.4 for RHEL 7 RHSA-2018:2927 2018-10-16
Red Hat JBoss EAP 7.1 RHSA-2018:2425 2018-08-15
Red Hat Satellite 6.4 for RHEL 7 RHSA-2018:2927 2018-10-16
Red Hat Single Sign-On 7.2 RHSA-2018:2428 2018-08-15
Red Hat OpenStack Platform 13.0 (Queens) (opendaylight) RHSA-2018:2598 2018-08-29
Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server RHSA-2018:2743 2018-09-24
Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server RHSA-2018:2424 2018-08-15
Red Hat JBoss Enterprise Application Platform 6.4 RHSA-2018:2740 2018-09-24

Affected Packages State

Platform Package State
Red Hat Virtualization 4 eap7-guava Affected
Red Hat Software Collections for Red Hat Enterprise Linux rh-maven35-guava Affected
Red Hat Software Collections for Red Hat Enterprise Linux rh-java-common-guava Affected
Red Hat Software Collections for Red Hat Enterprise Linux rh-eclipse46-guava Will not fix
Red Hat Software Collections for Red Hat Enterprise Linux rh-eclipse46-jackson-datatype-guava Not affected
Red Hat Single Sign-On 7 guava Under investigation
Red Hat Satellite 6 guava Affected
Red Hat OpenStack Platform 9.0 opendaylight Will not fix
Red Hat OpenStack Platform 8.0 (Liberty) opendaylight Will not fix
Red Hat OpenStack Platform 12.0 opendaylight Will not fix
Red Hat OpenStack Platform 11.0 (Ocata) opendaylight Will not fix
Red Hat OpenStack Platform 10 opendaylight Will not fix
Red Hat OpenShift Application Runtimes 1.0 vertx Affected
Red Hat Mobile Application Platform On-Premise 4 guava Not affected
Red Hat JBoss Operations Network 3 guava Will not fix
Red Hat JBoss Fuse Service Works 6 guava Will not fix
Red Hat JBoss Fuse 7 guava Affected
Red Hat JBoss Fuse 6 guava Affected
Red Hat JBoss Data Virtualization 6 guava Under investigation
Red Hat JBoss Data Grid 7 guava Under investigation
Red Hat JBoss BRMS 6 guava Affected
Red Hat JBoss BRMS 5 guava Not affected
Red Hat JBoss BPMS 6 guava Affected
Red Hat JBoss A-MQ 7 guava Affected
Red Hat JBoss A-MQ 6 guava Affected
Red Hat Enterprise Linux OpenStack Platform 7.0 Operational Tools for RHEL 7 opendaylight Will not fix
Red Hat Enterprise Linux 7 guava Affected

External References

Last Modified