CVE-2018-10237
First published: Thu Apr 26 2018(Updated: )
Google Guava is vulnerable to a denial of service, caused by improper eager allocation checks in the AtomicDoubleArray and CompoundOrdering class. By sending a specially-crafted data, a remote attacker could exploit this vulnerability to cause a denial of service condition.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/com.google.guava:guava | >=11.0<24.1.1-android | 24.1.1-android |
| maven/org.sonatype.sisu:sisu-guava | =0.11.1 | |
| maven/org.hudsonci.lib.guava:guava | <=14.0.1-h-3 | |
| maven/de.mhus.ports:vaadin-shared-deps | <=7.4.0 | |
| maven/com.googlecode.guava-osgi:guava-osgi | <=11.0.1 | |
| maven/com.google.guava:guava-jdk5 | <=17.0 | |
| redhat/guava | <24.1.1 | 24.1.1 |
| redhat/guava | <25.0 | 25.0 |
| IBM GDE | <=3.0.0.2 | |
| Google Guava | >=11.0<24.1.1 | |
| redhat openshift container platform | =3.11 | |
| redhat openstack | =13 | |
| redhat satellite | =6.4 | |
| Red Hat Satellite Capsule | =6.4 | |
| Red Hat Enterprise Virtualization | =4.2 | |
| redhat virtualization host | =4.0 | |
| redhat jboss enterprise application platform | =6.0.0 | |
| redhat jboss enterprise application platform | =6.4.0 | |
| redhat jboss enterprise application platform | =7.1.0 | |
| redhat openshift container platform | =4.1 | |
| Red Hat Enterprise Virtualization | =4.0 | |
| Red Hat Enterprise Linux | =7.0 | |
| Red Hat Enterprise Linux | =5.0 | |
| Red Hat Enterprise Linux | =6.0 | |
| Oracle Banking Payments | >=14.1.0<=14.4.0 | |
| Oracle Communications IP Service Activator | =7.3.0 | |
| Oracle Communications IP Service Activator | =7.4.0 | |
| Oracle Customer Management and Segmentation Foundation | =18.0 | |
| Oracle Database | =12.2.0.1 | |
| Oracle Database | =18c | |
| Oracle Database | =19c | |
| Oracle FLEXCUBE Investor Servicing | =12.1.0 | |
| Oracle FLEXCUBE Investor Servicing | =12.3.0 | |
| Oracle FLEXCUBE Investor Servicing | =12.4.0 | |
| Oracle FLEXCUBE Investor Servicing | =14.0.0 | |
| Oracle FLEXCUBE Investor Servicing | =14.1.0 | |
| Oracle FLEXCUBE Private Banking | =12.0.0 | |
| Oracle FLEXCUBE Private Banking | =12.1.0 | |
| Oracle Retail Integration Bus | =15.0 | |
| Oracle Retail Integration Bus | =16.0 | |
| Oracle Retail Xstore Office Cloud Service | =7.1 | |
| Oracle Retail Xstore Office Cloud Service | =15.0 | |
| Oracle Retail Xstore Office Cloud Service | =16.0 | |
| Oracle Retail Xstore Office Cloud Service | =17.0 | |
| Oracle WebLogic Server | =12.2.1.3.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.securitytracker.com/id/1041707
- https://access.redhat.com/errata/RHSA-2018:2423
- https://access.redhat.com/errata/RHSA-2018:2424
- https://access.redhat.com/errata/RHSA-2018:2425
- https://access.redhat.com/errata/RHSA-2018:2428
- https://access.redhat.com/errata/RHSA-2018:2598
- https://access.redhat.com/errata/RHSA-2018:2643
- https://access.redhat.com/errata/RHSA-2018:2740
- https://access.redhat.com/errata/RHSA-2018:2741
- https://access.redhat.com/errata/RHSA-2018:2742
- https://access.redhat.com/errata/RHSA-2018:2743
- https://access.redhat.com/errata/RHSA-2018:2927
- https://access.redhat.com/errata/RHSA-2019:2858
- https://access.redhat.com/errata/RHSA-2019:3149
- https://groups.google.com/d/topic/guava-announce/xqWALw4W1vs/discussion
- https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/19fa48533bc7ea1accf6b12746a74ed888ae6e49a5cf81ae4f807495@%3Ccommon-dev.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/33c6bccfeb7adf644d4d79894ca8f09370be6ed4b20632c2e228d085@%3Ccommits.cassandra.apache.org%3E
- https://lists.apache.org/thread.html/3d5dbdd92ac9ceaef90e40f78599f9109f2f345252e0ac9d98e7e084@%3Cgitbox.activemq.apache.org%3E
- https://lists.apache.org/thread.html/3ddd79c801edd99c0978e83dbe2168ebd36fd42acfa5dac38fb03dd6@%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/cc48fe770c45a74dc3b37ed0817393e0c96701fc49bc431ed922f3cc@%3Chdfs-dev.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E
- https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/r02e39d7beb32eebcdbb4b516e95f67d71c90d5d462b26f4078d21eeb@%3Cdev.flink.apache.org%3E
- https://lists.apache.org/thread.html/r02e39d7beb32eebcdbb4b516e95f67d71c90d5d462b26f4078d21eeb@%3Cuser.flink.apache.org%3E
- https://lists.apache.org/thread.html/r223bc776a077d0795786c38cbc6e7dd808fce1a9161b00ba9c0a5d55@%3Cissues.lucene.apache.org%3E
- https://lists.apache.org/thread.html/r22c8173b804cd4a420c43064ba4e363d0022aa421008b1989f7354d4@%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/r27eb79a87a760335226dbfa6a7b7bffea539a535f8e80c41e482106d@%3Cdev.cxf.apache.org%3E
- https://lists.apache.org/thread.html/r2ea4e5e5aa8ad73b001a466c582899620961f47d77a40af712c1fdf9@%3Cdev.cxf.apache.org%3E
- https://lists.apache.org/thread.html/r30e7d7b6bfa630dacc41649a0e96dad75165d50474c1241068aa0f94@%3Cissues.storm.apache.org%3E
- https://lists.apache.org/thread.html/r352e40ca9874d1beb4ad95403792adca7eb295e6bc3bd7b65fabcc21@%3Ccommits.samza.apache.org%3E
- https://lists.apache.org/thread.html/r38e2ab87528d3c904e7fac496e8fd766b9277656ff95b97d6b6b6dcd@%3Cdev.cxf.apache.org%3E
- https://lists.apache.org/thread.html/r3c3b33ee5bef0c67391d27a97cbfd89d44f328cf072b601b58d4e748@%3Ccommits.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/r43491b25b2e5c368c34b106a82eff910a5cea3e90de82ad75cc16540@%3Cdev.syncope.apache.org%3E
- https://lists.apache.org/thread.html/r50fc0bcc734dd82e691d36d209258683141bfc0083739a77e56ad92d@%3Cdev.flink.apache.org%3E
- https://lists.apache.org/thread.html/r841c5e14e1b55281523ebcde661ece00b38a0569e00ef5e12bd5f6ba@%3Cissues.maven.apache.org%3E
- https://lists.apache.org/thread.html/r95799427b335807a4c54776908125c3e66597b65845ae50096d9278a@%3Cdev.cxf.apache.org%3E
- https://lists.apache.org/thread.html/ra0adb9653c7de9539b93cc8434143b655f753b9f60580ff260becb2b@%3Cusers.kafka.apache.org%3E
- https://lists.apache.org/thread.html/ra4f44016926dcb034b3b230280a18102062f94ae55b8a31bb92fed84@%3Cissues.lucene.apache.org%3E
- https://lists.apache.org/thread.html/ra8906723927aef2a599398c238eacfc845b74d812e0093ec2fc70a7d@%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/rb3da574c34bc6bd37972d2266af3093b90d7e437460423c24f477919@%3Cissues.lucene.apache.org%3E
- https://lists.apache.org/thread.html/rc78f6e84f82cc662860e96526d8ab969f34dbe12dc560e22d9d147a3@%3Cdev.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rc8467f357b943ceaa86f289f8bc1a5d1c7955b75d3bac1426f2d4ac1@%3Ccommon-dev.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/rd01f5ff0164c468ec7abc96ff7646cea3cce6378da2e4aa29c6bcb95@%3Cgithub.arrow.apache.org%3E
- https://lists.apache.org/thread.html/rd0c8ec6e044aa2958dd0549ebf8ecead7f5968c9474ba73a504161b2@%3Cdev.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rdc56c15693c236e31e1e95f847b8e5e74fc0a05741d47488e7fc8c45@%3Cissues.flink.apache.org%3E
- https://security.netapp.com/advisory/ntap-20220629-0008/
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://nvd.nist.gov/vuln/detail/CVE-2018-10237
- https://github.com/google/guava/wiki/CVE-2018-10237
- https://github.com/advisories/GHSA-mvr2-9pj6-7w5j (Advisory)
- https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/19fa48533bc7ea1accf6b12746a74ed888ae6e49a5cf81ae4f807495%40%3Ccommon-dev.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/33c6bccfeb7adf644d4d79894ca8f09370be6ed4b20632c2e228d085%40%3Ccommits.cassandra.apache.org%3E
- https://lists.apache.org/thread.html/3d5dbdd92ac9ceaef90e40f78599f9109f2f345252e0ac9d98e7e084%40%3Cgitbox.activemq.apache.org%3E
- https://lists.apache.org/thread.html/3ddd79c801edd99c0978e83dbe2168ebd36fd42acfa5dac38fb03dd6%40%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/cc48fe770c45a74dc3b37ed0817393e0c96701fc49bc431ed922f3cc%40%3Chdfs-dev.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E
- https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/r02e39d7beb32eebcdbb4b516e95f67d71c90d5d462b26f4078d21eeb%40%3Cdev.flink.apache.org%3E
- https://lists.apache.org/thread.html/r02e39d7beb32eebcdbb4b516e95f67d71c90d5d462b26f4078d21eeb%40%3Cuser.flink.apache.org%3E
- https://lists.apache.org/thread.html/r223bc776a077d0795786c38cbc6e7dd808fce1a9161b00ba9c0a5d55%40%3Cissues.lucene.apache.org%3E
- https://lists.apache.org/thread.html/r22c8173b804cd4a420c43064ba4e363d0022aa421008b1989f7354d4%40%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/r27eb79a87a760335226dbfa6a7b7bffea539a535f8e80c41e482106d%40%3Cdev.cxf.apache.org%3E
- https://lists.apache.org/thread.html/r2ea4e5e5aa8ad73b001a466c582899620961f47d77a40af712c1fdf9%40%3Cdev.cxf.apache.org%3E
- https://lists.apache.org/thread.html/r30e7d7b6bfa630dacc41649a0e96dad75165d50474c1241068aa0f94%40%3Cissues.storm.apache.org%3E
- https://lists.apache.org/thread.html/r352e40ca9874d1beb4ad95403792adca7eb295e6bc3bd7b65fabcc21%40%3Ccommits.samza.apache.org%3E
- https://lists.apache.org/thread.html/r38e2ab87528d3c904e7fac496e8fd766b9277656ff95b97d6b6b6dcd%40%3Cdev.cxf.apache.org%3E
- https://lists.apache.org/thread.html/r3c3b33ee5bef0c67391d27a97cbfd89d44f328cf072b601b58d4e748%40%3Ccommits.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/r43491b25b2e5c368c34b106a82eff910a5cea3e90de82ad75cc16540%40%3Cdev.syncope.apache.org%3E
- https://lists.apache.org/thread.html/r50fc0bcc734dd82e691d36d209258683141bfc0083739a77e56ad92d%40%3Cdev.flink.apache.org%3E
- https://lists.apache.org/thread.html/r841c5e14e1b55281523ebcde661ece00b38a0569e00ef5e12bd5f6ba%40%3Cissues.maven.apache.org%3E
- https://lists.apache.org/thread.html/r95799427b335807a4c54776908125c3e66597b65845ae50096d9278a%40%3Cdev.cxf.apache.org%3E
- https://lists.apache.org/thread.html/ra0adb9653c7de9539b93cc8434143b655f753b9f60580ff260becb2b%40%3Cusers.kafka.apache.org%3E
- https://lists.apache.org/thread.html/ra4f44016926dcb034b3b230280a18102062f94ae55b8a31bb92fed84%40%3Cissues.lucene.apache.org%3E
- https://lists.apache.org/thread.html/ra8906723927aef2a599398c238eacfc845b74d812e0093ec2fc70a7d%40%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/rb3da574c34bc6bd37972d2266af3093b90d7e437460423c24f477919%40%3Cissues.lucene.apache.org%3E
- https://lists.apache.org/thread.html/rc78f6e84f82cc662860e96526d8ab969f34dbe12dc560e22d9d147a3%40%3Cdev.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rc8467f357b943ceaa86f289f8bc1a5d1c7955b75d3bac1426f2d4ac1%40%3Ccommon-dev.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/rd01f5ff0164c468ec7abc96ff7646cea3cce6378da2e4aa29c6bcb95%40%3Cgithub.arrow.apache.org%3E
- https://lists.apache.org/thread.html/rd0c8ec6e044aa2958dd0549ebf8ecead7f5968c9474ba73a504161b2%40%3Cdev.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rdc56c15693c236e31e1e95f847b8e5e74fc0a05741d47488e7fc8c45%40%3Cissues.flink.apache.org%3E
- https://groups.google.com/forum/#!topic/guava-announce/xqWALw4W1vs/discussion
- https://github.com/google/guava/commit/7ec8718f1e6e2814dabaa4b9f96b6b33a813101c
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1573394
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1574786
- https://access.redhat.com/support/policy/updates/jboss_notes
- https://access.redhat.com/errata/RHSA-2020:2562
- https://bugzilla.redhat.com/show_bug.cgi?id=1573391
- https://exchange.xforce.ibmcloud.com/vulnerabilities/142508
- https://www.ibm.com/support/pages/node/6320835 (Advisory)
Frequently Asked Questions
What is the severity of CVE-2018-10237?
CVE-2018-10237 has a severity rating indicating it can lead to denial of service conditions.
How do I fix CVE-2018-10237?
To fix CVE-2018-10237, users should upgrade to Google Guava version 24.1.1 or later.
Which versions of Google Guava are affected by CVE-2018-10237?
Google Guava versions from 11.0 to 24.1.1 are affected by CVE-2018-10237.
Are there any workarounds for CVE-2018-10237?
Currently, the recommended solution for CVE-2018-10237 is to upgrade to a patched version rather than relying on workarounds.
What kind of attack does CVE-2018-10237 enable?
CVE-2018-10237 allows attackers to cause a denial of service by sending specially-crafted data.
- collector/github-advisory-latest
- alias/GHSA-mvr2-9pj6-7w5j
- alias/CVE-2018-10237
- collector/github-advisory
- agent/author
- agent/type
- agent/remedy
- agent/weakness
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- agent/severity
- agent/description
- collector/ibm-support
- source/IBM
- agent/references
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/trending
- agent/source
- collector/nvd-cve
- agent/software-canonical-lookup-request
- collector/nvd-index
- agent/softwarecombine
- agent/tags
- package-manager/maven
- package-manager/redhat
- vendor/ibm
- canonical/ibm gde
- version/ibm gde/3.0.0.2
- vendor/google
- canonical/google guava
- version/google guava/11.0
- vendor/redhat
- canonical/redhat openshift container platform
- version/redhat openshift container platform/3.11
- canonical/redhat openstack
- version/redhat openstack/13
- canonical/redhat satellite
- version/redhat satellite/6.4
- canonical/red hat satellite capsule
- version/red hat satellite capsule/6.4
- canonical/red hat enterprise virtualization
- version/red hat enterprise virtualization/4.2
- canonical/redhat virtualization host
- version/redhat virtualization host/4.0
- canonical/redhat jboss enterprise application platform
- version/redhat jboss enterprise application platform/6.0.0
- version/redhat jboss enterprise application platform/6.4.0
- version/redhat jboss enterprise application platform/7.1.0
- version/redhat openshift container platform/4.1
- version/red hat enterprise virtualization/4.0
- canonical/red hat enterprise linux
- version/red hat enterprise linux/7.0
- version/red hat enterprise linux/5.0
- version/red hat enterprise linux/6.0
- vendor/oracle
- canonical/oracle banking payments
- version/oracle banking payments/14.1.0
- version/oracle banking payments/14.4.0
- canonical/oracle communications ip service activator
- version/oracle communications ip service activator/7.3.0
- version/oracle communications ip service activator/7.4.0
- canonical/oracle customer management and segmentation foundation
- version/oracle customer management and segmentation foundation/18.0
- canonical/oracle database
- version/oracle database/12.2.0.1
- version/oracle database/18c
- version/oracle database/19c
- canonical/oracle flexcube investor servicing
- version/oracle flexcube investor servicing/12.1.0
- version/oracle flexcube investor servicing/12.3.0
- version/oracle flexcube investor servicing/12.4.0
- version/oracle flexcube investor servicing/14.0.0
- version/oracle flexcube investor servicing/14.1.0
- canonical/oracle flexcube private banking
- version/oracle flexcube private banking/12.0.0
- version/oracle flexcube private banking/12.1.0
- canonical/oracle retail integration bus
- version/oracle retail integration bus/15.0
- version/oracle retail integration bus/16.0
- canonical/oracle retail xstore office cloud service
- version/oracle retail xstore office cloud service/7.1
- version/oracle retail xstore office cloud service/15.0
- version/oracle retail xstore office cloud service/16.0
- version/oracle retail xstore office cloud service/17.0
- canonical/oracle weblogic server
- version/oracle weblogic server/12.2.1.3.0