Bug 1573391 (CVE-2018-10237)
| Summary: | CVE-2018-10237 guava: Unbounded memory allocation in AtomicDoubleArray and CompoundOrdering classes allow remote attackers to cause a denial of service | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Sam Fowler <sfowler> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | abenaiss, aboyko, ahardin, ahenning, aileenc, alazarot, anstephe, aos-bugs, apevec, asoldano, atangrin, avibelli, bbaranow, bcourt, bgeorges, bkearney, bleanhar, bmaxwell, bmcclain, bmontgom, brian.stansberry, ccoleman, cdewolf, chazlett, chrisw, csutherl, darran.lofthouse, dblechte, dedgar, dffrench, dimitris, dkreling, dmoppert, dosoudil, drieden, drusso, eedri, eparis, etirelli, fgavrilo, gvarsami, hhorak, huwang, ibek, iweiss, java-maint, jawilson, jbalunas, jburrell, jcantril, jcoleman, jgoulding, jjoyce, jmadigan, jmatthew, jochrist, jokerman, jolee, jondruse, jorton, jpadman, jpallich, jperkins, jschatte, jschluet, jshepherd, jstastny, jwon, kbasil, kconner, krathod, kverlaen, kwills, ldimaggi, lgao, lgriffin, lhh, loleary, lpeer, lpetrovi, lthon, markmc, mburns, mchappel, mgoldboi, michal.skrivanek, mizdebsk, mkolesni, mmccune, mrike, msochure, msvehla, mszynkie, myarboro, ngough, nstielau, nwallace, ohadlevy, paradhya, pbhattac, pdrozd, pgallagh, pgier, pjindal, pjurak, pmackay, ppalaga, psakar, pskopek, pslavice, psotirop, pwright, rchan, rguimara, rnetuka, rrajasek, rruss, rstancel, rsvoboda, rsynek, rwagner, rzhang, sbonazzo, sclewis, sdaley, security-response-team, sguilhen, sherold, slinaber, smaestri, spandura, spinder, sponnaga, sthorger, szappis, tcunning, tdecacqu, theute, tkirby, tom.jenkinson, trepel, trogers, tsanders, twalsh, vhalbert, vtunka |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| See Also: |
https://issues.redhat.com/browse/ENTESB-8113 https://issues.redhat.com/browse/ENTESB-8114 https://issues.redhat.com/browse/ENTESB-8306 https://issues.redhat.com/browse/ENTMQBR-1501 https://issues.redhat.com/browse/ENTVTX-186 https://issues.redhat.com/browse/JBEAP-14711 https://issues.redhat.com/browse/JBEAP-14712 https://issues.redhat.com/browse/JBEAP-14736 https://issues.redhat.com/browse/RHBPMS-5199 https://issues.redhat.com/browse/RHBRMS-3127 https://issues.redhat.com//browse/ENTESB-8113 https://issues.redhat.com//browse/ENTESB-8114 https://issues.redhat.com//browse/ENTESB-8306 https://issues.redhat.com//browse/ENTMQBR-1501 https://issues.redhat.com//browse/ENTVTX-186 https://issues.redhat.com//browse/JBEAP-14711 https://issues.redhat.com//browse/JBEAP-14712 https://issues.redhat.com//browse/JBEAP-14736 https://issues.redhat.com//browse/RHBPMS-5199 https://issues.redhat.com//browse/RHBRMS-3127 |
||
| Whiteboard: | |||
| Fixed In Version: | guava 24.1.1, guava 25.0 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A vulnerability was found in Guava where the AtomicDoubleArray and CompoundOrdering classes were found to allocate memory based on size fields sent by the client without validation. A crafted message could cause the server to consume all available memory or crash leading to a denial of service.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-06-10 10:20:58 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1573393, 1573394, 1573494, 1573498, 1573499, 1574786, 1576452, 1576453, 1582987, 1582988, 1582989, 1582990, 1582991, 1582992, 1582993, 1591096, 1592469, 1592470, 1592471, 1592472, 1731833, 1731834, 1745011 | ||
| Bug Blocks: | 1573396, 2014197 | ||
|
Description
Sam Fowler
2018-05-01 04:06:46 UTC
Created guava tracking bugs for this issue: Affects: fedora-all [bug 1573394] Note there is guava20 compat package as well. Created guava20 tracking bugs for this issue: Affects: fedora-28 [bug 1574786] This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2018:2425 https://access.redhat.com/errata/RHSA-2018:2425 This issue has been addressed in the following products: Red Hat Single Sign-On 7.2.4 zip Via RHSA-2018:2428 https://access.redhat.com/errata/RHSA-2018:2428 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6 Via RHSA-2018:2423 https://access.redhat.com/errata/RHSA-2018:2423 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7 Via RHSA-2018:2424 https://access.redhat.com/errata/RHSA-2018:2424 This issue has been addressed in the following products: Red Hat OpenStack Platform 13.0 (Queens) Via RHSA-2018:2598 https://access.redhat.com/errata/RHSA-2018:2598 This issue has been addressed in the following products: Red Hat Virtualization 4 for Red Hat Enterprise Linux 7 Via RHSA-2018:2643 https://access.redhat.com/errata/RHSA-2018:2643 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2018:2740 https://access.redhat.com/errata/RHSA-2018:2740 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Via RHSA-2018:2741 https://access.redhat.com/errata/RHSA-2018:2741 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5 Via RHSA-2018:2742 https://access.redhat.com/errata/RHSA-2018:2742 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Via RHSA-2018:2743 https://access.redhat.com/errata/RHSA-2018:2743 This issue has been addressed in the following products: Red Hat Satellite 6.4 for RHEL 7 Via RHSA-2018:2927 https://access.redhat.com/errata/RHSA-2018:2927 This vulnerability is out of security support scope for the following product: * Red Hat JBoss Data Virtualization & Services 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details. Statement: Red Hat Openshift Application Runtimes: Eclipse Vert.x is not exploitable by this flaw, though the vulnerable code is a transient dependency to the product. This issue may be addressed in a future release. This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.1 Via RHSA-2019:2858 https://access.redhat.com/errata/RHSA-2019:2858 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.11 Via RHSA-2019:3149 https://access.redhat.com/errata/RHSA-2019:3149 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2020:2562 https://access.redhat.com/errata/RHSA-2020:2562 |