Bug 1816346 (CVE-2019-11939)
| Summary: | CVE-2019-11939 thrift: Resource exhaustion via containers sizes messages | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED WONTFIX | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | abonas, aboyko, aileenc, asoldano, atangrin, avibelli, bbaranow, bgeorges, bmaxwell, bmontgom, brian.stansberry, cdewolf, chazlett, ctubbsii, darran.lofthouse, dbecker, dkreling, dosoudil, drieden, eparis, gbrown, ggaughan, gmalinko, gvarsami, iweiss, janstey, jawilson, jbalunas, jburrell, jcoleman, jjoyce, jochrist, jokerman, jolee, jpallich, jperkins, jschatte, jschluet, jstastny, jwon, kbasil, kconner, krathod, kwills, ldimaggi, lgao, lhh, loleary, lpeer, lthon, mburns, milleruntime, mkolesni, msochure, msvehla, mszynkie, nstielau, nwallace, orion, pdrozd, pgallagh, pjindal, pmackay, psotirop, rcernich, rguimara, rruss, rsvoboda, rwagner, sclewis, scohen, slinaber, smaestri, spinder, sponnaga, sthorger, tcunning, theute, tkirby, tom.jenkinson, vhalbert, willb |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
A flaw was found in thrift. Golang Facebook Thrift servers would not error upon receiving messages declaring containers of sizes larger than the payload. As a result, malicious clients could send short messages which would result in a large memory allocation, potentially leading to denial of service.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-04-24 04:31:45 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1816347, 1816348 | ||
| Bug Blocks: | 1816350 | ||
|
Description
Pedro Sampaio
2020-03-23 20:16:39 UTC
Created thrift tracking bugs for this issue: Affects: epel-7 [bug 1816348] Affects: fedora-all [bug 1816347] The CVE description specifically identifies Facebook's fbthrift. However, that is not what is packaged in Fedora and EPEL. What is packaged in Fedora and EPEL is Apache Thrift. Is there an analogous CVE or bug tracker for the Apache Thrift project? This vulnerability is out of security support scope for the following products: * Red Hat Jboss Fuse 6 * Fuse Service Works 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details. In reply to comment #2: > The CVE description specifically identifies Facebook's fbthrift. However, > that is not what is packaged in Fedora and EPEL. What is packaged in Fedora > and EPEL is Apache Thrift. Is there an analogous CVE or bug tracker for the > Apache Thrift project? Agreed. I'm just following that up now - not sure if there's any bug for it with the Apache Thrift project. At first glance this looks like it will affect Apache Thrift as well as they do share the affected code. But I haven't fully tested where it truly is yet. This vulnerability is out of security support scope for the following products: * Red Hat JBoss Data Virtualization 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details. This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-11939 |