Описание
Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.
A vulnerability was found in Guava where the AtomicDoubleArray and CompoundOrdering classes were found to allocate memory based on size fields sent by the client without validation. A crafted message could cause the server to consume all available memory or crash leading to a denial of service.
Отчет
Red Hat Openshift Application Runtimes: Eclipse Vert.x is not exploitable by this flaw, though the vulnerable code is a transient dependency to the product. This issue may be addressed in a future release.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| JBoss Developer Studio 11 | guava | Will not fix | ||
| Red Hat AMQ Broker 7 | guava | Affected | ||
| Red Hat BPM Suite 6 | guava | Not affected | ||
| Red Hat Enterprise Linux 7 | guava | Will not fix | ||
| Red Hat Enterprise Linux 8 | guava | Not affected | ||
| Red Hat Enterprise Linux OpenStack Platform 7 (Kilo) Operational Tools | opendaylight | Will not fix | ||
| Red Hat Fuse 7 | guava | Will not fix | ||
| Red Hat JBoss A-MQ 6 | guava | Out of support scope | ||
| Red Hat JBoss BRMS 5 | guava | Not affected | ||
| Red Hat JBoss BRMS 6 | guava | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
5.9 Medium
CVSS3
Связанные уязвимости
Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.
Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.
Unbounded memory allocation in Google Guava 11.0 through 24.x before 2 ...
Уязвимость набора Java-библиотек Google Guava, связанная с неограниченным выделением памяти в классах AtomicDoubleArray и CompoundOrdering, позволяющая нарушителю вызвать отказ в обслуживании
EPSS
5.9 Medium
CVSS3