Security Bulletin: Vulnerability in Google Guava affects IBM Cúram Social Program Management (CVE-2018-10237)

Summary

IBM Cúram Social Program Management uses the Google Guava library indirectly through Google Guice. In versions of Google Guava library before version 24.1.1, an unbounded memory allocation vulnerability enables remote attackers to conduct denial of service attacks against servers that depend on the library, and to deserialize attacker-provided data.

Vulnerability Details

CVEID: CVE-2018-10237 DESCRIPTION: Google Guava is vulnerable to a denial of service, caused by improper eager allocation checks in the AtomicDoubleArray and CompoundOrdering class. By sending specially crafted data, a remote attacker could exploit the vulnerability to cause a denial of service condition.
_CVSS Base Score: 7.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/142508&gt;_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

IBM Cúram Social Program Management 7.0.5.0 - 7.0.6.0

IBM Cúram Social Program Management 7.0.0.0 - 7.0.4.2

Note: The Google Guava library was not present in version 6.1.x and earlier versions, so these versions are not vulnerable.

Remediation/Fixes

7.0.7

| Visit IBM Fix Central and upgrade to 7.0.7 or a subsequent 7.0.7 release.
Cúram SPM |

7.0.4

| Visit IBM Fix Central and upgrade to 7.0.4.3 or a subsequent 7.0.4 release.

Workarounds and Mitigations

For information about all other versions, contact IBM Cúram Social Program Management customer support.