Deserialization DOS Vulnerability reported in Guava

Issue date: 18-02-2019
Affects versions: 12.6, 12.5, 11.2

Issue ID: SECURITY-88

Affected Product Version(s)
This vulnerability affects projects based on Hippo CMS 12.6.0, 12.5.1, 11.2.10, or earlier.

Severity
Medium

Description

CVE-2018-10237 was reported against Guava and affects the versions currently used in brXM 11.2.10 (16.0.1) and 12.6.0 (22.0) and earlier. This can allow malicious software to cause denial of service using maliciously formatted data. To resolve this vulnerability, the Guava dependency was updated to use version 24.1.1-jre in brXM 11.2.11 and 12.6.1.

Instructions

Every CMS customer is strongly advised to upgrade as soon as possible to the latest CMS maintenance release as indicated above, or higher. This can be done by simply incrementing the version number of the parent POM for the implementation project. Please consult the Guava change logs for details of any incompatibilities that may be introduced, as usage of Guava APIs within an implementation project may be affected.

Content Application

Channels

Projects

Relevance

Architecture

Concepts

Platform Configuration

Frontend Integration

Backend Development

Commerce Accelerator

Cloud Deployment (PaaS)

On-Premise Deployment

Security

Release Management

Platform Development

Bloomreach Documentation version

Deserialization DOS Vulnerability reported in Guava