Bug 1928172 (CVE-2020-13949)

Summary: CVE-2020-13949 libthrift: potential DoS when processing untrusted payloads
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aboyko, aileenc, akoufoud, alazarot, alazar, almorale, anstephe, aos-bugs, asoldano, atangrin, avibelli, bbaranow, beth.white, bgeorges, bibryam, bmaxwell, bmontgom, brian.stansberry, cdewolf, chazlett, clement.escoffier, ctubbsii, dandread, darran.lofthouse, dbecker, dkreling, dosoudil, drieden, eclipseo, eleandro, eparis, etirelli, ganandan, ggaughan, gghezzo, gmalinko, go-sig, gparvin, gsmet, hamadhan, hbraun, ibek, iweiss, janstey, jburrell, jcosta, jhrozek, jjoyce, jnethert, jochrist, jokerman, jolee, josorior, jpallich, jperkins, jramanat, jschatte, jschluet, jstastny, jweiser, jwon, kaycoth, krathod, kverlaen, kwills, lgamliel, lgao, lhh, lnacshon, loleary, lpeer, lthon, mburns, mfilanov, milleruntime, mkolesni, mnovotny, mrogers, msochure, msvehla, mszynkie, nstielau, nwallace, orion, pantinor, pdhamdhe, pdrozd, pgallagh, pjindal, pmackay, probinso, rfreiman, rguimara, rhel8-maint, rrajasek, rruss, rstancel, rsvoboda, rsynek, sbiarozk, sclewis, scohen, sdaley, sd-operator-metering, sdouglas, slinaber, smaestri, spinder, sponnaga, stcannon, sthorger, swoodman, swshanka, team-winc, tflannag, thee, theute, tom.jenkinson, xiyuan
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libthrift 0.14.0 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in libthrift. Applications using Thrift would not show an error upon receiving messages declaring containers of sizes larger than the payload. This results in malicious RPC clients with the ability to send short messages which would result in a large memory allocation, potentially leading to denial of service. The highest threat from this vulnerability is to system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-03-30 11:51:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1928174, 1928175, 1928176, 1928808, 1928809, 1928810, 1928811, 1928812, 1928813, 1928814, 1928815, 1928895, 1928896, 1929386, 1930024, 1930025, 1930026, 1930027, 1930233, 1930234    
Bug Blocks: 1928173    

Description Guilherme de Almeida Suckevicz 2021-02-12 14:48:16 UTC 
Applications using Thrift would not error upon receiving messages declaring containers of sizes larger than the payload. As a result, malicious RPC clients could send short messages which would result in a large memory allocation, potentially leading to denial of service.

References:
https://www.openwall.com/lists/oss-security/2021/02/11/2
Comment 1 Guilherme de Almeida Suckevicz 2021-02-12 14:50:15 UTC 
Created golang-github-apache-thrift tracking bugs for this issue:

Affects: fedora-all [bug 1928176]


Created thrift tracking bugs for this issue:

Affects: epel-all [bug 1928175]
Affects: fedora-all [bug 1928174]
Comment 9 Jonathan Christison 2021-02-15 12:50:28 UTC 
Marking Red Hat Jboss Fuse 6, Red Hat Fuse 7 and Red Hat Integration Camel-K as having a moderate impact, this is because although a vulnerable version of libthrift is available for use in camel (camel-thrift) it does not run as a default service and a successful attack cannot be accomplished at will.
Comment 17 Jonathan Christison 2021-02-15 19:47:44 UTC 
Marking Red Hat AMQ Streams as having a moderate impact, this is because in AMQ Streams the use of libthrift is through Jaeger, Jaeger tracing is not enabled by default and must be enabled for any possibility of a viable attack, another factor is the jaeger client does not expose ports to the WAN so instead the attack vector would be adjacent.
Comment 23 Ted Jongseok Won 2021-02-16 12:43:16 UTC 
This vulnerability is out of security support scope for the following products:
 * Red Hat JBoss Fuse 6
 * Red Hat JBoss Operations Network 3
 * Red Hat JBoss Data Virtualization 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Comment 25 Ted Jongseok Won 2021-02-16 14:07:23 UTC 
Marking Red Hat JBoss Enterprise Application Platform as having a moderate impact, this is because in Red Hat JBoss Enterprise Application Platform the use of libthrift is through Jaeger client, the Jaeger client does not create a thrift listener which is a prerequisite of the attack.
Comment 32 Orion Poplawski 2021-02-18 02:58:17 UTC 
thrift 0.14.0 is a so-name bump from 0.13.  Is there any indication what commit(s) fixed this issue?
Comment 36 lnacshon 2021-03-30 11:51:18 UTC 
The ticket remained open, closing as wontfix
Comment 37 Summer Long 2021-04-19 00:43:57 UTC 
Statement:

* A vulnerable version of the libthrift library is delivered in listed OpenShift Container Platform (OCP) and OpenShift Jaeger (Jaeger) components, but the vulnerable code is not invoked, therefore these components are affected but with impact Moderate. 

* For Red Hat OpenStack, because the fix would require a substantial amount of development and OpenDaylight is deprecated in all future versions (RHOSP10 was in tech preview), no update will be provided at this time for the RHOSP libthrift package.
Comment 39 errata-xmlrpc 2021-06-24 15:19:47 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Jaeger 1.20

Via RHSA-2021:2543 https://access.redhat.com/errata/RHSA-2021:2543
Comment 42 errata-xmlrpc 2021-12-14 21:33:38 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.10

Via RHSA-2021:5134 https://access.redhat.com/errata/RHSA-2021:5134