Applications using Thrift would not error upon receiving messages declaring containers of sizes larger than the payload. As a result, malicious RPC clients could send short messages which would result in a large memory allocation, potentially leading to denial of service. References: https://www.openwall.com/lists/oss-security/2021/02/11/2
Created golang-github-apache-thrift tracking bugs for this issue: Affects: fedora-all [bug 1928176] Created thrift tracking bugs for this issue: Affects: epel-all [bug 1928175] Affects: fedora-all [bug 1928174]
Marking Red Hat Jboss Fuse 6, Red Hat Fuse 7 and Red Hat Integration Camel-K as having a moderate impact, this is because although a vulnerable version of libthrift is available for use in camel (camel-thrift) it does not run as a default service and a successful attack cannot be accomplished at will.
Marking Red Hat AMQ Streams as having a moderate impact, this is because in AMQ Streams the use of libthrift is through Jaeger, Jaeger tracing is not enabled by default and must be enabled for any possibility of a viable attack, another factor is the jaeger client does not expose ports to the WAN so instead the attack vector would be adjacent.
This vulnerability is out of security support scope for the following products: * Red Hat JBoss Fuse 6 * Red Hat JBoss Operations Network 3 * Red Hat JBoss Data Virtualization 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Marking Red Hat JBoss Enterprise Application Platform as having a moderate impact, this is because in Red Hat JBoss Enterprise Application Platform the use of libthrift is through Jaeger client, the Jaeger client does not create a thrift listener which is a prerequisite of the attack.
thrift 0.14.0 is a so-name bump from 0.13. Is there any indication what commit(s) fixed this issue?
The ticket remained open, closing as wontfix
Statement: * A vulnerable version of the libthrift library is delivered in listed OpenShift Container Platform (OCP) and OpenShift Jaeger (Jaeger) components, but the vulnerable code is not invoked, therefore these components are affected but with impact Moderate. * For Red Hat OpenStack, because the fix would require a substantial amount of development and OpenDaylight is deprecated in all future versions (RHOSP10 was in tech preview), no update will be provided at this time for the RHOSP libthrift package.
This issue has been addressed in the following products: Red Hat OpenShift Jaeger 1.20 Via RHSA-2021:2543 https://access.redhat.com/errata/RHSA-2021:2543
This issue has been addressed in the following products: Red Hat Fuse 7.10 Via RHSA-2021:5134 https://access.redhat.com/errata/RHSA-2021:5134