**White source utility flagged guava as a potential library that has a security vulnerability in azure-storage:jar:8.6.6.
Following is a dependency tree:**
+- com.microsoft.azure:azure-storage:jar:8.6.6:compile
+- com.fasterxml.jackson.core:jackson-core:jar:2.9.4:compile
+- org.slf4j:slf4j-api:jar:1.7.12:compile
+- org.apache.commons:commons-lang3:jar:3.4:compile
- com.microsoft.azure:azure-keyvault-core:jar:1.2.4:compile
+- (org.apache.commons:commons-lang3:jar:3.8.1:compile - omitted for conflict with 3.4)
- com.google.guava:guava:jar:24.1.1-jre:compile
Following is the white source message:
Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.
**White source utility flagged guava as a potential library that has a security vulnerability in azure-storage:jar:8.6.6.
Following is a dependency tree:**
+- com.microsoft.azure:azure-storage:jar:8.6.6:compile +- com.fasterxml.jackson.core:jackson-core:jar:2.9.4:compile +- org.slf4j:slf4j-api:jar:1.7.12:compile +- org.apache.commons:commons-lang3:jar:3.4:compile - com.microsoft.azure:azure-keyvault-core:jar:1.2.4:compile +- (org.apache.commons:commons-lang3:jar:3.8.1:compile - omitted for conflict with 3.4) - com.google.guava:guava:jar:24.1.1-jre:compile
Following is the white source message:
Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.
And suggested fixes:
I. Upgrade to version 24.1.1-jre, 24.1.1-android
II. Red Hat has issued a fix. The Red Hat advisory is available at: https://access.redhat.com/errata/RHSA-2018:2740 https://access.redhat.com/errata/RHSA-2018:2741 https://access.redhat.com/errata/RHSA-2018:2742 https://access.redhat.com/errata/RHSA-2018:2743
III. Replace or update the following files: AtomicDoubleArray.java, AtomicDoubleArray.java, CompoundOrdering_CustomFieldSerializer.java