CVE-2018-10237
Unbounded Memory Allocation vulnerability in guava (Maven)
What is CVE-2018-10237 About?
This vulnerability involves unbounded memory allocation in Google Guava, affecting versions 11.0 through 24.x before 24.1.1. It can lead to Denial of Service attacks on servers that deserialize attacker-provided data by forcing excessive memory usage. Exploitation is dependent on the server deserializing untrusted input.
Affected Software
- com.google.guava:guava
- >11.0, <24.1.1-android
- com.google.guava:guava-jdk5
- <=17.0
- com.googlecode.guava-osgi:guava-osgi
- <=11.0.1
- de.mhus.ports:vaadin-shared-deps
- <=7.4.0
- org.hudsonci.lib.guava:guava
- <=14.0.1-h-3
Technical Details
The vulnerability exists in Google Guava versions 11.0 through 24.x prior to 24.1.1. Specifically, when AtomicDoubleArray objects are deserialized using Java serialization or CompoundOrdering objects are deserialized using GWT serialization, the library performs eager memory allocation without adequate checks on the size of the incoming data or its reasonableness. An attacker can craft malicious serialized data that, upon deserialization by a server utilizing a vulnerable Guava version, triggers the allocation of excessively large memory structures. This unbounded memory allocation quickly exhausts the server's available memory, leading to a Denial of Service condition by causing the application to crash or become unresponsive.
What is the Impact of CVE-2018-10237?
Successful exploitation may allow attackers to disrupt the availability of the affected system or application, causing it to become unresponsive or crash.
What is the Exploitability of CVE-2018-10237?
Exploitation of this vulnerability is of moderate complexity, requiring an understanding of Java or GWT serialization formats and the specific structures that trigger unbounded allocation. It primarily affects servers that deserialize untrusted, attacker-provided data, suggesting remote exploitation is possible if such an endpoint is exposed. Authentication requirements depend on whether the deserialization endpoint is protected. Prerequisites include identifying applications that use vulnerable Guava versions and deserialize external data. The risk factors that increase exploitation likelihood include applications exposing unauthenticated deserialization endpoints or those that process untrusted serialized data without validation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2018-10237?
Available Upgrade Options
- com.google.guava:guava
- >11.0, <24.1.1-android → Upgrade to 24.1.1-android
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://access.redhat.com/errata/RHSA-2018:2927
- https://lists.apache.org/thread.html/r43491b25b2e5c368c34b106a82eff910a5cea3e90de82ad75cc16540%40%3Cdev.syncope.apache.org%3E
- https://lists.apache.org/thread.html/rdc56c15693c236e31e1e95f847b8e5e74fc0a05741d47488e7fc8c45@%3Cissues.flink.apache.org%3E
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://access.redhat.com/errata/RHSA-2018:2425
- https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/ra8906723927aef2a599398c238eacfc845b74d812e0093ec2fc70a7d%40%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/r3c3b33ee5bef0c67391d27a97cbfd89d44f328cf072b601b58d4e748%40%3Ccommits.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/r30e7d7b6bfa630dacc41649a0e96dad75165d50474c1241068aa0f94%40%3Cissues.storm.apache.org%3E
- https://lists.apache.org/thread.html/r352e40ca9874d1beb4ad95403792adca7eb295e6bc3bd7b65fabcc21%40%3Ccommits.samza.apache.org%3E
What are Similar Vulnerabilities to CVE-2018-10237?
Similar Vulnerabilities: CVE-2020-11005 , CVE-2019-20444 , CVE-2017-1000487 , CVE-2017-6428 , CVE-2016-4977
