GitLab

Created by: armorcodegithubqa[bot]

Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.

Mitigation: 24.1.1 Red Hat has issued a fix.

The Red Hat advisory is available at:

https://access.redhat.com/errata/RHSA-2018:2740 https://access.redhat.com/errata/RHSA-2018:2741 https://access.redhat.com/errata/RHSA-2018:2742 https://access.redhat.com/errata/RHSA-2018:2743

https://qa.armorcode.ai/#/findings/5124095

Knowledge Base: Man in the Middle (MITM) Attack:https://qa.armorcode.ai/#/knowledgeBase/45