Apache Thrift Java client library versions 0.5.0 through 0.11.0 can bypass SASL negotiation isComplete validation in the org.apache.thrift.transport.TSaslTransport class. An assert used to determine if the SASL handshake had successfully completed could be disabled in production settings making the validation incomplete.
Created thrift tracking bugs for this issue:
Affects: epel-7 [bug 1667205]
Affects: fedora-all [bug 1667206]
OpenDaylight includes libthrift, however does not use the vulnerable functionality. OpenDaylight should be considered not affected by this flaw.
This vulnerability is out of security support scope for the following product:
* Red Hat JBoss Fuse Service Works 6
Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
The version used in the JON storage node uses different authentication method than the SASL one from libthrift. As such, this can't bypass the authentication.
This issue has been addressed in the following products:
Red Hat Fuse 7.4.0
Via RHSA-2019:2413 https://access.redhat.com/errata/RHSA-2019:2413
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):