Apache Thrift Java client library versions 0.5.0 through 0.11.0 can bypass SASL negotiation isComplete validation in the org.apache.thrift.transport.TSaslTransport class. An assert used to determine if the SASL handshake had successfully completed could be disabled in production settings making the validation incomplete.
Created thrift tracking bugs for this issue:
Affects: epel-7 [bug 1667205]
Affects: fedora-all [bug 1667206]
OpenDaylight includes libthrift, however does not use the vulnerable functionality. OpenDaylight should be considered not affected by this flaw.
This vulnerability is out of security support scope for the following product:
* Red Hat JBoss Fuse Service Works 6
Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
The version used in the JON storage node uses different authentication method than the SASL one from libthrift. As such, this can't bypass the authentication.