Bug 1667204 (CVE-2018-1320)

Summary: CVE-2018-1320 thrift: SASL negotiation isComplete validation bypass in the org.apache.thrift.transport.TSaslTransport class
Product: [Other] Security Response Reporter: Laura Pardo <lpardo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aboyko, ahardin, asoldano, atangrin, bbaranow, bleanhar, bmaxwell, bmontgom, brian.stansberry, ccoleman, cdewolf, chazlett, darran.lofthouse, dbecker, dedgar, dkreling, dosoudil, eparis, iweiss, jawilson, jburrell, jgoulding, jjoyce, jochrist, jokerman, jperkins, jschluet, jwon, kbasil, krathod, kwills, lgao, lhh, lpeer, mburns, mchappel, msochure, msvehla, nstielau, nwallace, pjindal, pmackay, psotirop, rguimara, rsvoboda, sclewis, slinaber, smaestri, spinder, sponnaga, tom.jenkinson
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: thrift 0.12.0 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-08 13:18:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1667205, 1667206, 1669339, 1669340, 1669341, 1700974, 1700984    
Bug Blocks: 1667207    

Description Laura Pardo 2019-01-17 17:56:49 UTC
Apache Thrift Java client library versions 0.5.0 through 0.11.0 can bypass SASL negotiation isComplete validation in the org.apache.thrift.transport.TSaslTransport class. An assert used to determine if the SASL handshake had successfully completed could be disabled in production settings making the validation incomplete.


References:
https://lists.apache.org/thread.html/da5234b5e78f1c99190407f791dfe1bf6c58de8d30d15974a9669be3@%3Cuser.thrift.apache.org%3E

Comment 1 Laura Pardo 2019-01-17 17:57:04 UTC
Created thrift tracking bugs for this issue:

Affects: epel-7 [bug 1667205]
Affects: fedora-all [bug 1667206]

Comment 5 James Hebden 2019-01-25 00:27:47 UTC
Statement:

OpenDaylight:
OpenDaylight includes libthrift, however does not use the vulnerable functionality. OpenDaylight should be considered not affected by this flaw.

Comment 11 Joshua Padman 2019-05-16 13:26:05 UTC
This vulnerability is out of security support scope for the following product:
 * Red Hat JBoss Fuse Service Works 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.

Comment 12 Joshua Padman 2019-05-16 13:27:52 UTC
The version used in the JON storage node uses different authentication method than the SASL one from libthrift. As such, this can't bypass the authentication.

Comment 14 errata-xmlrpc 2019-08-08 10:08:42 UTC
This issue has been addressed in the following products:

  Red Hat Fuse 7.4.0

Via RHSA-2019:2413 https://access.redhat.com/errata/RHSA-2019:2413

Comment 15 Product Security DevOps Team 2019-08-08 13:18:34 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-1320