Deserialization DOS Vulnerability reported in Guava

Issue date: 18-02-2019
Affects versions: 12.6, 12.5, 11.2

Issue ID: SECURITY-88

Affected Product Version(s)
This vulnerability affects projects based on Hippo CMS 12.6.0, 12.5.1, 11.2.10, or earlier.

Severity
Medium

Description

CVE-2018-10237 was reported against Guava and affects the versions currently used in brXM 11.2.10 (16.0.1) and 12.6.0 (22.0) and earlier. This can allow malicious software to cause denial of service using maliciously formatted data. To resolve this vulnerability, the Guava dependency was updated to use version 24.1.1-jre in brXM 11.2.11 and 12.6.1.

Instructions

Every CMS customer is strongly advised to upgrade as soon as possible to the latest CMS maintenance release as indicated above, or higher. This can be done by simply incrementing the version number of the parent POM for the implementation project. Please consult the Guava change logs for details of any incompatibilities that may be introduced, as usage of Guava APIs within an implementation project may be affected.

Get Started

Build a Website

Relevance Trail

Feed an AngularJS App

Deploy in BloomReach Cloud

Use Blue-Green Deployment in BloomReach Cloud

Understand

Implement

Extend

Integrate

Run

Upgrade

Develop

Use

Bloomreach Documentation version

Deserialization DOS Vulnerability reported in Guava