Bug 1928172 (CVE-2020-13949) - CVE-2020-13949 libthrift: potential DoS when processing untrusted payloads
Summary: CVE-2020-13949 libthrift: potential DoS when processing untrusted payloads
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2020-13949
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1928175 1928174 1928176 1928808 1928809 1928810 1928811 1928812 1928813 1928814 1928815 1928895 1928896 1929386 1930024 1930025 1930026 1930027 1930233 1930234
Blocks: 1928173
TreeView+ depends on / blocked
 
Reported: 2021-02-12 14:48 UTC by Guilherme de Almeida Suckevicz
Modified: 2023-03-01 18:02 UTC (History)
119 users (show)

Fixed In Version: libthrift 0.14.0
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in libthrift. Applications using Thrift would not show an error upon receiving messages declaring containers of sizes larger than the payload. This results in malicious RPC clients with the ability to send short messages which would result in a large memory allocation, potentially leading to denial of service. The highest threat from this vulnerability is to system availability.
Clone Of:
Environment:
Last Closed: 2021-03-30 11:51:18 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:2543 0 None None None 2021-06-24 15:20:00 UTC
Red Hat Product Errata RHSA-2021:5134 0 None None None 2021-12-14 21:33:42 UTC

Description Guilherme de Almeida Suckevicz 2021-02-12 14:48:16 UTC 
Applications using Thrift would not error upon receiving messages declaring containers of sizes larger than the payload. As a result, malicious RPC clients could send short messages which would result in a large memory allocation, potentially leading to denial of service.

References:
https://www.openwall.com/lists/oss-security/2021/02/11/2
Comment 1 Guilherme de Almeida Suckevicz 2021-02-12 14:50:15 UTC 
Created golang-github-apache-thrift tracking bugs for this issue:

Affects: fedora-all [bug 1928176]


Created thrift tracking bugs for this issue:

Affects: epel-all [bug 1928175]
Affects: fedora-all [bug 1928174]
Comment 9 Jonathan Christison 2021-02-15 12:50:28 UTC 
Marking Red Hat Jboss Fuse 6, Red Hat Fuse 7 and Red Hat Integration Camel-K as having a moderate impact, this is because although a vulnerable version of libthrift is available for use in camel (camel-thrift) it does not run as a default service and a successful attack cannot be accomplished at will.
Comment 17 Jonathan Christison 2021-02-15 19:47:44 UTC 
Marking Red Hat AMQ Streams as having a moderate impact, this is because in AMQ Streams the use of libthrift is through Jaeger, Jaeger tracing is not enabled by default and must be enabled for any possibility of a viable attack, another factor is the jaeger client does not expose ports to the WAN so instead the attack vector would be adjacent.
Comment 23 Ted Jongseok Won 2021-02-16 12:43:16 UTC 
This vulnerability is out of security support scope for the following products:
 * Red Hat JBoss Fuse 6
 * Red Hat JBoss Operations Network 3
 * Red Hat JBoss Data Virtualization 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Comment 25 Ted Jongseok Won 2021-02-16 14:07:23 UTC 
Marking Red Hat JBoss Enterprise Application Platform as having a moderate impact, this is because in Red Hat JBoss Enterprise Application Platform the use of libthrift is through Jaeger client, the Jaeger client does not create a thrift listener which is a prerequisite of the attack.
Comment 32 Orion Poplawski 2021-02-18 02:58:17 UTC 
thrift 0.14.0 is a so-name bump from 0.13.  Is there any indication what commit(s) fixed this issue?
Comment 36 lnacshon 2021-03-30 11:51:18 UTC 
The ticket remained open, closing as wontfix
Comment 37 Summer Long 2021-04-19 00:43:57 UTC 
Statement:

* A vulnerable version of the libthrift library is delivered in listed OpenShift Container Platform (OCP) and OpenShift Jaeger (Jaeger) components, but the vulnerable code is not invoked, therefore these components are affected but with impact Moderate. 

* For Red Hat OpenStack, because the fix would require a substantial amount of development and OpenDaylight is deprecated in all future versions (RHOSP10 was in tech preview), no update will be provided at this time for the RHOSP libthrift package.
Comment 39 errata-xmlrpc 2021-06-24 15:19:47 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Jaeger 1.20

Via RHSA-2021:2543 https://access.redhat.com/errata/RHSA-2021:2543
Comment 42 errata-xmlrpc 2021-12-14 21:33:38 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.10

Via RHSA-2021:5134 https://access.redhat.com/errata/RHSA-2021:5134
Note You need to log in before you can comment on or make changes to this bug.