Security Bulletin: Potential denial of service in WebSphere Application Server (CVE-2018-10237)

Summary

There is a potential denial of service with the Google Guava library that is used in WebSphere Application Server.

Vulnerability Details

CVEID: CVE-2018-10237 DESCRIPTION: Google Guava is vulnerable to a denial of service, caused by improper eager allocation checks in the AtomicDoubleArray and CompoundOrdering class. By sending a specially-crafted data, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base Score: 7.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/142508&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

This vulnerability affects the following versions and releases of IBM WebSphere Application Server:

• WebSphere Application Server Liberty
• WebSphere Application Server Traditional Version 9
• WebSphere Application Server Traditional Version 8.5

Remediation/Fixes

The recommended solution is to apply the interim fix, or Fix Pack as soon as practical.

For WebSphere Application Server Liberty:
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PH07297
--OR–
· Apply Fix Pack 19.0.0.1 or later (targeted availability 1Q2019).

For WebSphere Application Server traditional and WebSphere Application Server Hypervisor Edition:

For V9.0.0.0 through 9.0.0.10:
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PH07297
--OR–
· Apply Fix Pack 9.0.0.11 or later (targeted availability 2Q2019)

For V8.5.0.0 through 8.5.5.14 using Java SE 6:
· Refer to the following note: Java SE 6 end of service

For V8.5.0.0 through 8.5.5.14 using Java SE 7 or later:
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PH07297
--OR–
· Apply Fix Pack 8.5.5.16 or later (targeted availability 4Q2019)