CVE-2018-10237: Medium severity Google Guava vulnerability

Published Apr 26, 2018
·
Updated

Google Guava versions 11.0 through 24.1 are vulnerable to unbounded memory allocation in the AtomicDoubleArray class (when serialized with Java serialization) and Compound Ordering class (when serialized with GWT serialization). An attacker could exploit applications that use Guava and deserialize untrusted data to cause a denial of service.

External References:

https://github.com/google/guava/wiki/CVE-2018-10237 https://groups.google.com/forum/#!topic/guava-announce/xqWALw4W1vs/discussion

Upstream Patch:

https://github.com/google/guava/commit/7ec8718f1e6e2814dabaa4b9f96b6b33a813101c

Other sources

Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.

Affected Software

45 affected componentsFixes available
maven/com.google.guava:guava>=11.0<24.1.1-android
24.1.1-android
maven/org.sonatype.sisu:sisu-guava=0.11.1
maven/org.hudsonci.lib.guava:guava<=14.0.1-h-3
maven/de.mhus.ports:vaadin-shared-deps<=7.4.0
maven/com.googlecode.guava-osgi:guava-osgi<=11.0.1
maven/com.google.guava:guava-jdk5<=17.0
redhat/guava<24.1.1
24.1.1
redhat/guava<25.0
25.0
Google Guava>=11.0<24.1.1
redhat OpenShift Container Platform=3.11
redhat Openstack=13
redhat Satellite=6.4
redhat Satellite Capsule=6.4
redhat Virtualization=4.2
redhat Virtualization Host=4.0
redhat JBoss Enterprise Application Platform=6.0.0
redhat JBoss Enterprise Application Platform=6.4.0
redhat JBoss Enterprise Application Platform=7.1.0
redhat OpenShift Container Platform=4.1
redhat Virtualization=4.0
redhat Enterprise Linux=7.0
redhat Enterprise Linux=5.0
redhat Enterprise Linux=6.0
Oracle Banking Payments>=14.1.0<=14.4.0
Oracle Communications Ip Service Activator=7.3.0
Oracle Communications Ip Service Activator=7.4.0
Oracle Customer Management And Segmentation Foundation=18.0
Oracle Database Server=12.2.0.1
Oracle Database Server=18c
Oracle Database Server=19c
Oracle FLEXCUBE Investor Servicing=12.1.0
Oracle FLEXCUBE Investor Servicing=12.3.0
Oracle FLEXCUBE Investor Servicing=12.4.0
Oracle FLEXCUBE Investor Servicing=14.0.0
Oracle FLEXCUBE Investor Servicing=14.1.0
Oracle FLEXCUBE Private Banking=12.0.0
Oracle FLEXCUBE Private Banking=12.1.0
Oracle Retail Integration Bus=15.0
Oracle Retail Integration Bus=16.0
Oracle Retail Xstore Point of Service=7.1
Oracle Retail Xstore Point of Service=15.0
Oracle Retail Xstore Point of Service=16.0
Oracle Retail Xstore Point of Service=17.0
Oracle WebLogic Server=12.2.1.3.0
IBM Financial Transaction Manager for ACH Services and Check Services for Multi-Platform<=3.0.0.0 - 3.0.5.4 iFix 27

Remediation

Patch Available

https://www.oracle.com/security-alerts/cpuapr2020.html

Patch Available

https://www.oracle.com/security-alerts/cpujan2021.html

Patch Available

https://www.oracle.com/security-alerts/cpujul2020.html

Patch Available

https://www.oracle.com/security-alerts/cpuoct2021.html

Event History

Apr 26, 2018
CVE Published
via MITRE·09:00 PM
Data Sourced
via MITRE·09:00 PM
Description
May 1, 2018
Data Sourced
via Red Hat·04:06 AM
DescriptionSeverityAffected Software
Jun 15, 2020
Advisory Published
08:35 PM
Feb 9, 2026
Data Sourced
via IBM·12:00 AM
DescriptionAffected Software

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2018-10237?

CVE-2018-10237 has a severity rating indicating it can lead to denial of service conditions.

2

How do I fix CVE-2018-10237?

To fix CVE-2018-10237, users should upgrade to Google Guava version 24.1.1 or later.

3

Which versions of Google Guava are affected by CVE-2018-10237?

Google Guava versions from 11.0 to 24.1.1 are affected by CVE-2018-10237.

4

Are there any workarounds for CVE-2018-10237?

Currently, the recommended solution for CVE-2018-10237 is to upgrade to a patched version rather than relying on workarounds.

5

What kind of attack does CVE-2018-10237 enable?

CVE-2018-10237 allows attackers to cause a denial of service by sending specially-crafted data.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203