A flaw was found in Apache Thrift versions 0.9.3 to 0.12.0. A server implemented in Go using TJSONProtocol or TSimpleJSONProtocol may panic when feed with invalid input data. References: https://seclists.org/oss-sec/2019/q4/29
Created thrift tracking bugs for this issue: Affects: epel-7 [bug 1764609] Affects: fedora-all [bug 1764608]
RHOSP: thrift is shipped in ODL which is java based, not golang which is required for this flaw.
libthrift version shipped with RHSSO 7.3.4 is : rhsso-7.3.4/modules/system/layers/base/org/apache/thrift/main/libthrift-0.11.0.redhat-00006.jar which seems to be affected. Also I am unable to locate the affected class (TJSONProtocol or TSimpleJSONProtocol) in jaeger-thrift-0.30.6.redhat-00001.jar (shipped with RHSSO 7.3.4) so I am marking RHSSO component jaeger-thrift as not affected.
This vulnerability is out of security support scope for the following products: * Red Hat JBoss Operations Network 3 * Red Hat JBoss Fuse Service Works 6 * Red Hat JBoss Data Virtualization & Services 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
There's only a single commit between v0.12.0 and v0.13.0 that touches the Go JSONProtocol implementation, which therefore must be the patch: $ git log v0.12.0..v0.13.0 -- lib/go/thrift/simple_json_protocol.go commit 264a3f318ed3e9e51573f67f963c8509786bcec2 Author: Jens Geyer <jensg> Date: Sat Feb 23 13:11:40 2019 +0100 additional test for TSimpleJSONProtocol diff --git a/lib/go/thrift/simple_json_protocol.go b/lib/go/thrift/simple_json_protocol.go index 2e8a7111..f5e0c05d 100644 --- a/lib/go/thrift/simple_json_protocol.go +++ b/lib/go/thrift/simple_json_protocol.go @@ -60,7 +60,7 @@ func (p _ParseContext) String() string { return "UNKNOWN-PARSE-CONTEXT" } -// JSON protocol implementation for thrift. +// Simple JSON protocol implementation for thrift. // // This protocol produces/consumes a simple output format // suitable for parsing by scripting languages. It should not be @@ -1316,7 +1316,7 @@ func (p *TSimpleJSONProtocol) readNumeric() (Numeric, error) { func (p *TSimpleJSONProtocol) safePeekContains(b []byte) bool { for i := 0; i < len(b); i++ { a, _ := p.reader.Peek(i + 1) - if len(a) == 0 || a[i] != b[i] { + if len(a) < (i+1) || a[i] != b[i] { return false } } The modified function, safePeekContains(), is not present in 0.9.2, which is consistent with the upstream announcement stating that versions 0.9.3 through 0.12.0 are affected.
Upstream Patch: https://github.com/apache/thrift/commit/264a3f318ed3e9e51573f67f963c8509786bcec2
Statement: Red Hat OpenStack Platform ships OpenDaylight, which contains a vulnerable version of libthrift. However, OpenDaylight is not affected as this is a Golang specific problem, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time. The version of thrift delivered in OpenShift Container Platform is not affected by this vulnerability as it does not contain the affected code.
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2020:0811 https://access.redhat.com/errata/RHSA-2020:0811
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8 Via RHSA-2020:0806 https://access.redhat.com/errata/RHSA-2020:0806
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6 Via RHSA-2020:0804 https://access.redhat.com/errata/RHSA-2020:0804
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7 Via RHSA-2020:0805 https://access.redhat.com/errata/RHSA-2020:0805
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-0210
This issue has been addressed in the following products: Red Hat Single Sign-On Via RHSA-2020:0951 https://access.redhat.com/errata/RHSA-2020:0951
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2020:0961 https://access.redhat.com/errata/RHSA-2020:0961
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7 Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6 Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8 Via RHSA-2020:0962 https://access.redhat.com/errata/RHSA-2020:0962
This issue has been addressed in the following products: Red Hat Openshift Application Runtimes Via RHSA-2020:2067 https://access.redhat.com/errata/RHSA-2020:2067
This issue has been addressed in the following products: Red Hat Data Grid 7.3.6 Via RHSA-2020:2321 https://access.redhat.com/errata/RHSA-2020:2321
This issue has been addressed in the following products: EAP-CD 19 Tech Preview Via RHSA-2020:2333 https://access.redhat.com/errata/RHSA-2020:2333
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6 Via RHSA-2020:2511 https://access.redhat.com/errata/RHSA-2020:2511
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2020:2515 https://access.redhat.com/errata/RHSA-2020:2515
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8 Via RHSA-2020:2513 https://access.redhat.com/errata/RHSA-2020:2513
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7 Via RHSA-2020:2512 https://access.redhat.com/errata/RHSA-2020:2512
This issue has been addressed in the following products: Red Hat Fuse 7.8.0 Via RHSA-2020:5568 https://access.redhat.com/errata/RHSA-2020:5568