Bug 1764612 (CVE-2019-0205)

Summary: CVE-2019-0205 thrift: Endless loop when feed with specific input data
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aboyko, aileenc, asoldano, atangrin, avibelli, bbaranow, bgeorges, bmaxwell, bmontgom, brian.stansberry, cdewolf, chazlett, ctubbsii, darran.lofthouse, dbecker, dkreling, dosoudil, drieden, eparis, ggaughan, gvarsami, iweiss, janstey, jawilson, jbalunas, jburrell, jcoleman, jjoyce, jochrist, jokerman, jolee, jpallich, jperkins, jschatte, jschluet, jstastny, kbasil, kconner, krathod, kwills, ldimaggi, lgao, lhh, loleary, lpeer, lthon, mburns, milleruntime, msochure, msvehla, mszynkie, nstielau, nwallace, pdrozd, pgallagh, pmackay, psotirop, rcernich, rguimara, rruss, rsvoboda, rwagner, sclewis, sfowler, slinaber, smaestri, spinder, sponnaga, sthorger, tcunning, theute, tkirby, tom.jenkinson, twalsh, vhalbert, willb
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: thrift 0.13.0 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-03-12 22:31:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1764613, 1764614    
Bug Blocks: 1764610    

Description Pedro Sampaio 2019-10-23 13:10:50 UTC 
A flaw was found in Apache Thrift up to and including 0.12.0. A server or client may run into an endless loop when feed with specific input data. Because the issue had already been partially fixed by THRIFT-4024 in version 0.11.0, depending on the installed version 
it affects only certain language bindings.

References:

https://seclists.org/oss-sec/2019/q4/28
Comment 1 Pedro Sampaio 2019-10-23 13:11:51 UTC 
Created thrift tracking bugs for this issue:

Affects: epel-7 [bug 1764614]
Affects: fedora-all [bug 1764613]
Comment 4 Paramvir jindal 2019-11-19 16:37:00 UTC 
libthrift version shipped with RHSSO 7.3.4 is libthrift-0.11.0.redhat-00006.jar and issue seems to be not completely fixed in this version so I am marking it as affected.

For Reference: https://seclists.org/oss-sec/2019/q4/28
Comment 9 Kunjan Rathod 2019-12-07 00:21:31 UTC 
This vulnerability is out of security support scope for the following products:

 * Red Hat JBoss Operations Network 3
 * Red Hat JBoss Fuse Service Works 6
 * Red Hat JBoss Data Virtualization & Services 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Comment 12 Sam Fowler 2020-01-09 01:34:41 UTC 
Upstream Issues:

https://issues.apache.org/jira/browse/THRIFT-4784
https://issues.apache.org/jira/browse/THRIFT-4024


Upstream Fix:

https://github.com/apache/thrift/pull/1737
Comment 13 Sam Fowler 2020-01-14 05:11:22 UTC 
Statement:

Red Hat OpenStack Platform ships OpenDaylight, which contains a vulnerable version of libthrift. However, OpenDaylight does not expose libthrift in a vulnerable way, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time.

The thrift package in OpenShift Container Platform is installed only in Curator images in the Logging stack. The affected code is included in this package, it's functionality is not used. This vulnerability is therefore rated Low for OpenShift Container Platform.
Comment 14 errata-xmlrpc 2020-03-12 17:00:30 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2020:0811 https://access.redhat.com/errata/RHSA-2020:0811
Comment 15 errata-xmlrpc 2020-03-12 17:01:29 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8

Via RHSA-2020:0806 https://access.redhat.com/errata/RHSA-2020:0806
Comment 16 errata-xmlrpc 2020-03-12 17:04:22 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6

Via RHSA-2020:0804 https://access.redhat.com/errata/RHSA-2020:0804
Comment 17 errata-xmlrpc 2020-03-12 17:05:47 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7

Via RHSA-2020:0805 https://access.redhat.com/errata/RHSA-2020:0805
Comment 18 Product Security DevOps Team 2020-03-12 22:31:48 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-0205
Comment 20 errata-xmlrpc 2020-03-23 20:13:43 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On

Via RHSA-2020:0951 https://access.redhat.com/errata/RHSA-2020:0951
Comment 21 errata-xmlrpc 2020-03-24 11:13:37 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2020:0961 https://access.redhat.com/errata/RHSA-2020:0961
Comment 22 errata-xmlrpc 2020-03-24 11:38:39 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7
  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6
  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8

Via RHSA-2020:0962 https://access.redhat.com/errata/RHSA-2020:0962
Comment 24 errata-xmlrpc 2020-05-18 10:26:57 UTC 
This issue has been addressed in the following products:

  Red Hat Openshift Application Runtimes

Via RHSA-2020:2067 https://access.redhat.com/errata/RHSA-2020:2067
Comment 25 errata-xmlrpc 2020-05-26 16:09:55 UTC 
This issue has been addressed in the following products:

  Red Hat Data Grid 7.3.6

Via RHSA-2020:2321 https://access.redhat.com/errata/RHSA-2020:2321
Comment 26 errata-xmlrpc 2020-05-28 15:59:20 UTC 
This issue has been addressed in the following products:

  EAP-CD 19 Tech Preview

Via RHSA-2020:2333 https://access.redhat.com/errata/RHSA-2020:2333
Comment 27 errata-xmlrpc 2020-06-10 19:05:42 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6

Via RHSA-2020:2511 https://access.redhat.com/errata/RHSA-2020:2511
Comment 28 errata-xmlrpc 2020-06-10 19:23:57 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2020:2515 https://access.redhat.com/errata/RHSA-2020:2515
Comment 29 errata-xmlrpc 2020-06-11 07:08:32 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8

Via RHSA-2020:2513 https://access.redhat.com/errata/RHSA-2020:2513
Comment 30 errata-xmlrpc 2020-06-11 07:16:58 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7

Via RHSA-2020:2512 https://access.redhat.com/errata/RHSA-2020:2512
Comment 33 Jason Shepherd 2020-11-23 23:37:26 UTC 
More Upstream fixes (for Golang libraries can be found here):

https://github.com/apache/thrift/pull/1155/files
Comment 34 errata-xmlrpc 2020-12-16 12:12:27 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.8.0

Via RHSA-2020:5568 https://access.redhat.com/errata/RHSA-2020:5568