Deserialization DOS Vulnerability reported in Guava - BloomReach Experience - Open Source CMS

Deserialization DOS Vulnerability reported in Guava 

Issue date: 18-02-2019
Affects versions: 12.6, 12.5, 11.2

Issue ID: SECURITY-88

Affected Product Version(s)
This vulnerability affects projects based on Hippo CMS 12.6.0, 12.5.1, 11.2.10, or earlier.

Severity 
Medium

Description

CVE-2018-10237 was reported against Guava and affects the versions currently used in brXM 11.2.10 (16.0.1) and 12.6.0 (22.0) and earlier. This can allow malicious software to cause denial of service using maliciously formatted data. To resolve this vulnerability, the Guava dependency was updated to use version 24.1.1-jre in brXM 11.2.11 and 12.6.1.

Instructions

Every CMS customer is strongly advised to upgrade as soon as possible to the latest CMS maintenance release as indicated above, or higher. This can be done by simply incrementing the version number of the parent POM for the implementation project. Please consult the Guava change logs for details of any incompatibilities that may be introduced, as usage of Guava APIs within an implementation project may be affected.