cvelist/2018/10xxx/CVE-2018-10237.json

{
    "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2018-10237",
        "STATE": "PUBLIC"
    },
    "affects": {
        "vendor": {
            "vendor_data": [
                {
                    "product": {
                        "product_data": [
                            {
                                "product_name": "n/a",
                                "version": {
                                    "version_data": [
                                        {
                                            "version_value": "n/a"
                                        }
                                    ]
                                }
                            }
                        ]
                    },
                    "vendor_name": "n/a"
                }
            ]
        }
    },
    "data_format": "MITRE",
    "data_type": "CVE",
    "data_version": "4.0",
    "description": {
        "description_data": [
            {
                "lang": "eng",
                "value": "Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable."
            }
        ]
    },
    "problemtype": {
        "problemtype_data": [
            {
                "description": [
                    {
                        "lang": "eng",
                        "value": "n/a"
                    }
                ]
            }
        ]
    },
    "references": {
        "reference_data": [
            {
                "name": "RHSA-2018:2428",
                "refsource": "REDHAT",
                "url": "https://access.redhat.com/errata/RHSA-2018:2428"
            },
            {
                "name": "RHSA-2018:2740",
                "refsource": "REDHAT",
                "url": "https://access.redhat.com/errata/RHSA-2018:2740"
            },
            {
                "name": "RHSA-2018:2741",
                "refsource": "REDHAT",
                "url": "https://access.redhat.com/errata/RHSA-2018:2741"
            },
            {
                "name": "RHSA-2018:2742",
                "refsource": "REDHAT",
                "url": "https://access.redhat.com/errata/RHSA-2018:2742"
            },
            {
                "name": "RHSA-2018:2598",
                "refsource": "REDHAT",
                "url": "https://access.redhat.com/errata/RHSA-2018:2598"
            },
            {
                "name": "RHSA-2018:2643",
                "refsource": "REDHAT",
                "url": "https://access.redhat.com/errata/RHSA-2018:2643"
            },
            {
                "name": "RHSA-2018:2424",
                "refsource": "REDHAT",
                "url": "https://access.redhat.com/errata/RHSA-2018:2424"
            },
            {
                "name": "RHSA-2018:2423",
                "refsource": "REDHAT",
                "url": "https://access.redhat.com/errata/RHSA-2018:2423"
            },
            {
                "name": "RHSA-2018:2425",
                "refsource": "REDHAT",
                "url": "https://access.redhat.com/errata/RHSA-2018:2425"
            },
            {
                "name": "RHSA-2018:2927",
                "refsource": "REDHAT",
                "url": "https://access.redhat.com/errata/RHSA-2018:2927"
            },
            {
                "name": "1041707",
                "refsource": "SECTRACK",
                "url": "http://www.securitytracker.com/id/1041707"
            },
            {
                "name": "RHSA-2018:2743",
                "refsource": "REDHAT",
                "url": "https://access.redhat.com/errata/RHSA-2018:2743"
            },
            {
                "refsource": "MLIST",
                "name": "[hadoop-hdfs-dev] 20190401 Update guava to 27.0-jre in hadoop-project",
                "url": "https://lists.apache.org/thread.html/cc48fe770c45a74dc3b37ed0817393e0c96701fc49bc431ed922f3cc@%3Chdfs-dev.hadoop.apache.org%3E"
            },
            {
                "refsource": "MLIST",
                "name": "[hadoop-common-dev] 20190401 Update guava to 27.0-jre in hadoop-project",
                "url": "https://lists.apache.org/thread.html/19fa48533bc7ea1accf6b12746a74ed888ae6e49a5cf81ae4f807495@%3Ccommon-dev.hadoop.apache.org%3E"
            },
            {
                "refsource": "MLIST",
                "name": "[pulsar-commits] 20190416 [GitHub] [pulsar] one70six opened a new issue #4057: Security Vulnerabilities - Black Duck Scan - Pulsar v.2.3.1",
                "url": "https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E"
            },
            {
                "refsource": "MLIST",
                "name": "[activemq-issues] 20190516 [jira] [Created] (AMQ-7208) Security Issue related to Guava 18.0",
                "url": "https://lists.apache.org/thread.html/3ddd79c801edd99c0978e83dbe2168ebd36fd42acfa5dac38fb03dd6@%3Cissues.activemq.apache.org%3E"
            },
            {
                "refsource": "MLIST",
                "name": "[activemq-gitbox] 20190530 [GitHub] [activemq-artemis] brusdev opened a new pull request #2687: ARTEMIS-2359 Upgrade to Guava 24.1",
                "url": "https://lists.apache.org/thread.html/3d5dbdd92ac9ceaef90e40f78599f9109f2f345252e0ac9d98e7e084@%3Cgitbox.activemq.apache.org%3E"
            },
            {
                "refsource": "MLIST",
                "name": "[cassandra-commits] 20190612 [jira] [Assigned] (CASSANDRA-14760) CVE-2018-10237 Security vulnerability in 3.11.3",
                "url": "https://lists.apache.org/thread.html/33c6bccfeb7adf644d4d79894ca8f09370be6ed4b20632c2e228d085@%3Ccommits.cassandra.apache.org%3E"
            },
            {
                "refsource": "MLIST",
                "name": "[activemq-issues] 20190820 [jira] [Created] (AMQ-7279) Security Vulnerabilities in Libraries - jackson-databind-2.9.8.jar, tomcat-servlet-api-8.0.53.jar, tomcat-websocket-api-8.0.53.jar, zookeeper-3.4.6.jar, guava-18.0.jar, jetty-all-9.2.26.v20180806.jar, scala-library-2.11.0.jar",
                "url": "https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E"
            },
            {
                "refsource": "REDHAT",
                "name": "RHSA-2019:2858",
                "url": "https://access.redhat.com/errata/RHSA-2019:2858"
            },
            {
                "refsource": "MLIST",
                "name": "[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities",
                "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E"
            },
            {
                "refsource": "REDHAT",
                "name": "RHSA-2019:3149",
                "url": "https://access.redhat.com/errata/RHSA-2019:3149"
            },
            {
                "refsource": "MLIST",
                "name": "[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
                "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E"
            },
            {
                "refsource": "MLIST",
                "name": "[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
                "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E"
            },
            {
                "refsource": "MLIST",
                "name": "[cxf-dev] 20200206 [GitHub] [cxf] davidkarlsen opened a new pull request #638: upgrade guava, CVE-2018-10237",
                "url": "https://lists.apache.org/thread.html/r27eb79a87a760335226dbfa6a7b7bffea539a535f8e80c41e482106d@%3Cdev.cxf.apache.org%3E"
            },
            {
                "refsource": "MLIST",
                "name": "[cxf-dev] 20200206 [GitHub] [cxf] reta commented on a change in pull request #638: upgrade guava, CVE-2018-10237",
                "url": "https://lists.apache.org/thread.html/r95799427b335807a4c54776908125c3e66597b65845ae50096d9278a@%3Cdev.cxf.apache.org%3E"
            },
            {
                "refsource": "MLIST",
                "name": "[cxf-dev] 20200211 [GitHub] [cxf] coheigea commented on a change in pull request #638: upgrade guava, CVE-2018-10237",
                "url": "https://lists.apache.org/thread.html/rc78f6e84f82cc662860e96526d8ab969f34dbe12dc560e22d9d147a3@%3Cdev.cxf.apache.org%3E"
            },
            {
                "refsource": "MLIST",
                "name": "[kafka-users] 20200413 CVEs for the dependency software guava and rocksdbjni of Kafka",
                "url": "https://lists.apache.org/thread.html/ra0adb9653c7de9539b93cc8434143b655f753b9f60580ff260becb2b@%3Cusers.kafka.apache.org%3E"
            },
            {
                "refsource": "MLIST",
                "name": "[cxf-dev] 20200420 [GitHub] [cxf] coheigea commented on a change in pull request #638: upgrade guava, CVE-2018-10237",
                "url": "https://lists.apache.org/thread.html/rd0c8ec6e044aa2958dd0549ebf8ecead7f5968c9474ba73a504161b2@%3Cdev.cxf.apache.org%3E"
            },
            {
                "refsource": "MLIST",
                "name": "[cxf-dev] 20200420 [GitHub] [cxf] reta commented on a change in pull request #638: upgrade guava, CVE-2018-10237",
                "url": "https://lists.apache.org/thread.html/r38e2ab87528d3c904e7fac496e8fd766b9277656ff95b97d6b6b6dcd@%3Cdev.cxf.apache.org%3E"
            },
            {
                "refsource": "MLIST",
                "name": "[cxf-dev] 20200420 [GitHub] [cxf] andrei-ivanov commented on a change in pull request #638: upgrade guava, CVE-2018-10237",
                "url": "https://lists.apache.org/thread.html/r2ea4e5e5aa8ad73b001a466c582899620961f47d77a40af712c1fdf9@%3Cdev.cxf.apache.org%3E"
            },
            {
                "refsource": "MLIST",
                "name": "[syncope-dev] 20200423 Re: Time to cut 2.1.6 / 2.0.15?",
                "url": "https://lists.apache.org/thread.html/r43491b25b2e5c368c34b106a82eff910a5cea3e90de82ad75cc16540@%3Cdev.syncope.apache.org%3E"
            },
            {
                "url": "https://www.oracle.com/security-alerts/cpuapr2020.html",
                "refsource": "MISC",
                "name": "https://www.oracle.com/security-alerts/cpuapr2020.html"
            },
            {
                "refsource": "MLIST",
                "name": "[hadoop-common-dev] 20200623 Update guava to 27.0-jre in hadoop branch-2.10",
                "url": "https://lists.apache.org/thread.html/rc8467f357b943ceaa86f289f8bc1a5d1c7955b75d3bac1426f2d4ac1@%3Ccommon-dev.hadoop.apache.org%3E"
            },
            {
                "url": "https://www.oracle.com/security-alerts/cpujul2020.html",
                "refsource": "MISC",
                "name": "https://www.oracle.com/security-alerts/cpujul2020.html"
            },
            {
                "name": "https://groups.google.com/d/topic/guava-announce/xqWALw4W1vs/discussion",
                "refsource": "CONFIRM",
                "url": "https://groups.google.com/d/topic/guava-announce/xqWALw4W1vs/discussion"
            },
            {
                "refsource": "MLIST",
                "name": "[flink-dev] 20200806 Dependency vulnerabilities with Apache Flink 1.10.1 version",
                "url": "https://lists.apache.org/thread.html/r02e39d7beb32eebcdbb4b516e95f67d71c90d5d462b26f4078d21eeb@%3Cdev.flink.apache.org%3E"
            },
            {
                "refsource": "MLIST",
                "name": "[flink-user] 20200806 Dependency vulnerabilities with Apache Flink 1.10.1 version",
                "url": "https://lists.apache.org/thread.html/r02e39d7beb32eebcdbb4b516e95f67d71c90d5d462b26f4078d21eeb@%3Cuser.flink.apache.org%3E"
            },
            {
                "refsource": "MLIST",
                "name": "[flink-dev] 20200806 [jira] [Created] (FLINK-18841) CVE-2018-10237 and CWE-400 occurred in flink dependency",
                "url": "https://lists.apache.org/thread.html/r50fc0bcc734dd82e691d36d209258683141bfc0083739a77e56ad92d@%3Cdev.flink.apache.org%3E"
            },
            {
                "refsource": "MLIST",
                "name": "[flink-issues] 20200806 [jira] [Created] (FLINK-18841) CVE-2018-10237 and CWE-400 occurred in flink dependency",
                "url": "https://lists.apache.org/thread.html/rdc56c15693c236e31e1e95f847b8e5e74fc0a05741d47488e7fc8c45@%3Cissues.flink.apache.org%3E"
            },
            {
                "refsource": "MLIST",
                "name": "[flink-issues] 20200814 [jira] [Commented] (FLINK-18841) CVE-2018-10237 and CWE-400 occurred in flink dependency",
                "url": "https://lists.apache.org/thread.html/ra8906723927aef2a599398c238eacfc845b74d812e0093ec2fc70a7d@%3Cissues.flink.apache.org%3E"
            },
            {
                "refsource": "MLIST",
                "name": "[lucene-issues] 20201022 [jira] [Created] (SOLR-14960) Solr-clustering is bringing in CVE-2018-10237 vulnerable guava",
                "url": "https://lists.apache.org/thread.html/ra4f44016926dcb034b3b230280a18102062f94ae55b8a31bb92fed84@%3Cissues.lucene.apache.org%3E"
            },
            {
                "refsource": "MLIST",
                "name": "[lucene-issues] 20201022 [jira] [Updated] (SOLR-14960) Solr-clustering is bringing in CVE-2018-10237 vulnerable guava",
                "url": "https://lists.apache.org/thread.html/rb3da574c34bc6bd37972d2266af3093b90d7e437460423c24f477919@%3Cissues.lucene.apache.org%3E"
            },
            {
                "refsource": "MLIST",
                "name": "[lucene-issues] 20201022 [jira] [Resolved] (SOLR-14960) Solr-clustering is bringing in CVE-2018-10237 vulnerable guava",
                "url": "https://lists.apache.org/thread.html/r223bc776a077d0795786c38cbc6e7dd808fce1a9161b00ba9c0a5d55@%3Cissues.lucene.apache.org%3E"
            },
            {
                "url": "https://www.oracle.com/security-alerts/cpujan2021.html",
                "refsource": "MISC",
                "name": "https://www.oracle.com/security-alerts/cpujan2021.html"
            },
            {
                "refsource": "MLIST",
                "name": "[maven-issues] 20210122 [GitHub] [maven-indexer] akurtakov opened a new pull request #75: Remove guava dependency from indexer-core",
                "url": "https://lists.apache.org/thread.html/r841c5e14e1b55281523ebcde661ece00b38a0569e00ef5e12bd5f6ba@%3Cissues.maven.apache.org%3E"
            },
            {
                "refsource": "MLIST",
                "name": "[flink-issues] 20210212 [jira] [Closed] (FLINK-18841) CVE-2018-10237 and CWE-400 occurred in flink dependency",
                "url": "https://lists.apache.org/thread.html/r22c8173b804cd4a420c43064ba4e363d0022aa421008b1989f7354d4@%3Cissues.flink.apache.org%3E"
            },
            {
                "refsource": "MLIST",
                "name": "[samza-commits] 20210310 [GitHub] [samza] Telesia opened a new pull request #1471: SAMZA-2630: Upgrade dependencies for security fixes",
                "url": "https://lists.apache.org/thread.html/r352e40ca9874d1beb4ad95403792adca7eb295e6bc3bd7b65fabcc21@%3Ccommits.samza.apache.org%3E"
            },
            {
                "refsource": "MLIST",
                "name": "[storm-issues] 20210315 [jira] [Created] (STORM-3754) Upgrade Guava version because of security vulnerability",
                "url": "https://lists.apache.org/thread.html/r30e7d7b6bfa630dacc41649a0e96dad75165d50474c1241068aa0f94@%3Cissues.storm.apache.org%3E"
            },
            {
                "refsource": "MLIST",
                "name": "[pulsar-commits] 20210406 [GitHub] [pulsar] lhotari opened a new pull request #10149: Upgrade jclouds to 2.3.0 to fix security vulnerabilities",
                "url": "https://lists.apache.org/thread.html/r3c3b33ee5bef0c67391d27a97cbfd89d44f328cf072b601b58d4e748@%3Ccommits.pulsar.apache.org%3E"
            },
            {
                "refsource": "MLIST",
                "name": "[arrow-github] 20210610 [GitHub] [arrow] projjal opened a new pull request #10501: ARROW-13032: Update guava version",
                "url": "https://lists.apache.org/thread.html/rd01f5ff0164c468ec7abc96ff7646cea3cce6378da2e4aa29c6bcb95@%3Cgithub.arrow.apache.org%3E"
            }
        ]
    }
}