This repository has been archived by the owner on Jul 19, 2024. It is now read-only.
Security Vulnerability in dependent library #563
Comments
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
**White source utility flagged guava as a potential library that has a security vulnerability in azure-storage:jar:8.6.6.
Following is a dependency tree:**
+- com.microsoft.azure:azure-storage:jar:8.6.6:compile
+- com.fasterxml.jackson.core:jackson-core:jar:2.9.4:compile
+- org.slf4j:slf4j-api:jar:1.7.12:compile
+- org.apache.commons:commons-lang3:jar:3.4:compile
- com.microsoft.azure:azure-keyvault-core:jar:1.2.4:compile
+- (org.apache.commons:commons-lang3:jar:3.8.1:compile - omitted for conflict with 3.4)
- com.google.guava:guava:jar:24.1.1-jre:compile
Following is the white source message:
Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.
And suggested fixes:
I. Upgrade to version 24.1.1-jre, 24.1.1-android
II. Red Hat has issued a fix.
The Red Hat advisory is available at:
https://access.redhat.com/errata/RHSA-2018:2740
https://access.redhat.com/errata/RHSA-2018:2741
https://access.redhat.com/errata/RHSA-2018:2742
https://access.redhat.com/errata/RHSA-2018:2743
III. Replace or update the following files: AtomicDoubleArray.java, AtomicDoubleArray.java, CompoundOrdering_CustomFieldSerializer.java
The text was updated successfully, but these errors were encountered: