Welcome back to Nexus Intelligence Insights.
This month, we’re covering a vulnerability type that until recently, has flown a bit under the radar: deserialization of untrusted data.
Our featured vulnerability is CVE-2018-10237. This is a Guava vulnerability that can be exploited to create an unbounded memory, denial of service attack that can cripple or take down a server.
With so many other types of vulnerabilities getting the bulk of the average development team’s focus, it’s easy to forget about a component like Guava, that until recently, wasn’t quite as popular. Times change, and bad actors are getting more adept at using less obvious vectors to create chaos.
At Sonatype, our goal is to help organizations stay well informed and ahead of the open source software threat. Whether you’re a developer or involved in AppSec in general, Nexus Intelligence Insights, was created to put practical and actionable intelligence at your fingertips. We hope you find this month’s Insight useful.
Our team of 65 data analysts meticulously track open source vulnerabilities and the component and sub-component versions they impact. We marry precision data with automation to eliminate alert fatigue and allow developers to focus on the issues that really matter.
Do you have a topic in mind that you’d like to see us cover? Get in touch.