Bug 1667204 (CVE-2018-1320)
Summary: | CVE-2018-1320 thrift: SASL negotiation isComplete validation bypass in the org.apache.thrift.transport.TSaslTransport class | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Laura Pardo <lpardo> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | aboyko, ahardin, asoldano, atangrin, bbaranow, bleanhar, bmaxwell, bmontgom, brian.stansberry, ccoleman, cdewolf, chazlett, darran.lofthouse, dbecker, dedgar, dkreling, dosoudil, eparis, iweiss, jawilson, jburrell, jgoulding, jjoyce, jochrist, jokerman, jperkins, jschluet, jwon, kbasil, krathod, kwills, lgao, lhh, lpeer, mburns, mchappel, msochure, msvehla, nstielau, nwallace, pjindal, pmackay, psotirop, rguimara, rsvoboda, sclewis, slinaber, smaestri, spinder, sponnaga, tom.jenkinson |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | thrift 0.12.0 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-08-08 13:18:34 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1667205, 1667206, 1669339, 1669340, 1669341, 1700974, 1700984 | ||
Bug Blocks: | 1667207 |
Description
Laura Pardo
2019-01-17 17:56:49 UTC
Created thrift tracking bugs for this issue: Affects: epel-7 [bug 1667205] Affects: fedora-all [bug 1667206] Statement: OpenDaylight: OpenDaylight includes libthrift, however does not use the vulnerable functionality. OpenDaylight should be considered not affected by this flaw. This vulnerability is out of security support scope for the following product: * Red Hat JBoss Fuse Service Works 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details. The version used in the JON storage node uses different authentication method than the SASL one from libthrift. As such, this can't bypass the authentication. This issue has been addressed in the following products: Red Hat Fuse 7.4.0 Via RHSA-2019:2413 https://access.redhat.com/errata/RHSA-2019:2413 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2018-1320 |