Bug 1764607 (CVE-2019-0210)
| Summary: | CVE-2019-0210 thrift: Out-of-bounds read related to TJSONProtocol or TSimpleJSONProtocol | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | aboyko, aileenc, asoldano, atangrin, avibelli, bbaranow, bgeorges, bmaxwell, bmontgom, brian.stansberry, cdewolf, chazlett, ctubbsii, darran.lofthouse, dbecker, dkreling, dosoudil, drieden, eparis, ggaughan, gvarsami, iweiss, janstey, jawilson, jbalunas, jburrell, jcoleman, jjoyce, jochrist, jokerman, jolee, jpallich, jperkins, jschatte, jschluet, jstastny, kbasil, kconner, krathod, kwills, ldimaggi, lgao, lhh, loleary, lpeer, lthon, mburns, milleruntime, msochure, msvehla, mszynkie, nstielau, nwallace, pdrozd, pgallagh, pmackay, psotirop, rcernich, rguimara, rhos-maint, rruss, rsvoboda, rwagner, sclewis, slinaber, smaestri, spinder, sponnaga, sthorger, tcunning, theute, tkirby, tom.jenkinson, twalsh, vhalbert, willb |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | thrift 0.13.0 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-03-12 22:31:42 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1764608, 1764609 | ||
| Bug Blocks: | 1764610 | ||
|
Description
Pedro Sampaio
2019-10-23 13:05:45 UTC
Created thrift tracking bugs for this issue: Affects: epel-7 [bug 1764609] Affects: fedora-all [bug 1764608] RHOSP: thrift is shipped in ODL which is java based, not golang which is required for this flaw. libthrift version shipped with RHSSO 7.3.4 is : rhsso-7.3.4/modules/system/layers/base/org/apache/thrift/main/libthrift-0.11.0.redhat-00006.jar which seems to be affected. Also I am unable to locate the affected class (TJSONProtocol or TSimpleJSONProtocol) in jaeger-thrift-0.30.6.redhat-00001.jar (shipped with RHSSO 7.3.4) so I am marking RHSSO component jaeger-thrift as not affected. This vulnerability is out of security support scope for the following products: * Red Hat JBoss Operations Network 3 * Red Hat JBoss Fuse Service Works 6 * Red Hat JBoss Data Virtualization & Services 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details. There's only a single commit between v0.12.0 and v0.13.0 that touches the Go JSONProtocol implementation, which therefore must be the patch:
$ git log v0.12.0..v0.13.0 -- lib/go/thrift/simple_json_protocol.go
commit 264a3f318ed3e9e51573f67f963c8509786bcec2
Author: Jens Geyer <jensg>
Date: Sat Feb 23 13:11:40 2019 +0100
additional test for TSimpleJSONProtocol
diff --git a/lib/go/thrift/simple_json_protocol.go b/lib/go/thrift/simple_json_protocol.go
index 2e8a7111..f5e0c05d 100644
--- a/lib/go/thrift/simple_json_protocol.go
+++ b/lib/go/thrift/simple_json_protocol.go
@@ -60,7 +60,7 @@ func (p _ParseContext) String() string {
return "UNKNOWN-PARSE-CONTEXT"
}
-// JSON protocol implementation for thrift.
+// Simple JSON protocol implementation for thrift.
//
// This protocol produces/consumes a simple output format
// suitable for parsing by scripting languages. It should not be
@@ -1316,7 +1316,7 @@ func (p *TSimpleJSONProtocol) readNumeric() (Numeric, error) {
func (p *TSimpleJSONProtocol) safePeekContains(b []byte) bool {
for i := 0; i < len(b); i++ {
a, _ := p.reader.Peek(i + 1)
- if len(a) == 0 || a[i] != b[i] {
+ if len(a) < (i+1) || a[i] != b[i] {
return false
}
}
The modified function, safePeekContains(), is not present in 0.9.2, which is consistent with the upstream announcement stating that versions 0.9.3 through 0.12.0 are affected.
Statement: Red Hat OpenStack Platform ships OpenDaylight, which contains a vulnerable version of libthrift. However, OpenDaylight is not affected as this is a Golang specific problem, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time. The version of thrift delivered in OpenShift Container Platform is not affected by this vulnerability as it does not contain the affected code. This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2020:0811 https://access.redhat.com/errata/RHSA-2020:0811 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8 Via RHSA-2020:0806 https://access.redhat.com/errata/RHSA-2020:0806 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6 Via RHSA-2020:0804 https://access.redhat.com/errata/RHSA-2020:0804 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7 Via RHSA-2020:0805 https://access.redhat.com/errata/RHSA-2020:0805 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-0210 This issue has been addressed in the following products: Red Hat Single Sign-On Via RHSA-2020:0951 https://access.redhat.com/errata/RHSA-2020:0951 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2020:0961 https://access.redhat.com/errata/RHSA-2020:0961 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7 Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6 Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8 Via RHSA-2020:0962 https://access.redhat.com/errata/RHSA-2020:0962 This issue has been addressed in the following products: Red Hat Openshift Application Runtimes Via RHSA-2020:2067 https://access.redhat.com/errata/RHSA-2020:2067 This issue has been addressed in the following products: Red Hat Data Grid 7.3.6 Via RHSA-2020:2321 https://access.redhat.com/errata/RHSA-2020:2321 This issue has been addressed in the following products: EAP-CD 19 Tech Preview Via RHSA-2020:2333 https://access.redhat.com/errata/RHSA-2020:2333 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6 Via RHSA-2020:2511 https://access.redhat.com/errata/RHSA-2020:2511 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2020:2515 https://access.redhat.com/errata/RHSA-2020:2515 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8 Via RHSA-2020:2513 https://access.redhat.com/errata/RHSA-2020:2513 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7 Via RHSA-2020:2512 https://access.redhat.com/errata/RHSA-2020:2512 This issue has been addressed in the following products: Red Hat Fuse 7.8.0 Via RHSA-2020:5568 https://access.redhat.com/errata/RHSA-2020:5568 |