A flaw was found in Apache Thrift up to and including 0.12.0. A server or client may run into an endless loop when feed with specific input data. Because the issue had already been partially fixed by THRIFT-4024 in version 0.11.0, depending on the installed version it affects only certain language bindings. References: https://seclists.org/oss-sec/2019/q4/28
Created thrift tracking bugs for this issue: Affects: epel-7 [bug 1764614] Affects: fedora-all [bug 1764613]
libthrift version shipped with RHSSO 7.3.4 is libthrift-0.11.0.redhat-00006.jar and issue seems to be not completely fixed in this version so I am marking it as affected. For Reference: https://seclists.org/oss-sec/2019/q4/28
This vulnerability is out of security support scope for the following products: * Red Hat JBoss Operations Network 3 * Red Hat JBoss Fuse Service Works 6 * Red Hat JBoss Data Virtualization & Services 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Upstream Issues: https://issues.apache.org/jira/browse/THRIFT-4784 https://issues.apache.org/jira/browse/THRIFT-4024 Upstream Fix: https://github.com/apache/thrift/pull/1737
Statement: Red Hat OpenStack Platform ships OpenDaylight, which contains a vulnerable version of libthrift. However, OpenDaylight does not expose libthrift in a vulnerable way, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time. The thrift package in OpenShift Container Platform is installed only in Curator images in the Logging stack. The affected code is included in this package, it's functionality is not used. This vulnerability is therefore rated Low for OpenShift Container Platform.
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2020:0811 https://access.redhat.com/errata/RHSA-2020:0811
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8 Via RHSA-2020:0806 https://access.redhat.com/errata/RHSA-2020:0806
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6 Via RHSA-2020:0804 https://access.redhat.com/errata/RHSA-2020:0804
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7 Via RHSA-2020:0805 https://access.redhat.com/errata/RHSA-2020:0805
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-0205
This issue has been addressed in the following products: Red Hat Single Sign-On Via RHSA-2020:0951 https://access.redhat.com/errata/RHSA-2020:0951
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2020:0961 https://access.redhat.com/errata/RHSA-2020:0961
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7 Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6 Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8 Via RHSA-2020:0962 https://access.redhat.com/errata/RHSA-2020:0962
This issue has been addressed in the following products: Red Hat Openshift Application Runtimes Via RHSA-2020:2067 https://access.redhat.com/errata/RHSA-2020:2067
This issue has been addressed in the following products: Red Hat Data Grid 7.3.6 Via RHSA-2020:2321 https://access.redhat.com/errata/RHSA-2020:2321
This issue has been addressed in the following products: EAP-CD 19 Tech Preview Via RHSA-2020:2333 https://access.redhat.com/errata/RHSA-2020:2333
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6 Via RHSA-2020:2511 https://access.redhat.com/errata/RHSA-2020:2511
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2020:2515 https://access.redhat.com/errata/RHSA-2020:2515
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8 Via RHSA-2020:2513 https://access.redhat.com/errata/RHSA-2020:2513
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7 Via RHSA-2020:2512 https://access.redhat.com/errata/RHSA-2020:2512
More Upstream fixes (for Golang libraries can be found here): https://github.com/apache/thrift/pull/1155/files
This issue has been addressed in the following products: Red Hat Fuse 7.8.0 Via RHSA-2020:5568 https://access.redhat.com/errata/RHSA-2020:5568