Bug 1816346 (CVE-2019-11939) - CVE-2019-11939 thrift: Resource exhaustion via containers sizes messages
Summary: CVE-2019-11939 thrift: Resource exhaustion via containers sizes messages
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2019-11939
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1816348 1816347
Blocks: 1816350
TreeView+ depends on / blocked
 
Reported: 2020-03-23 20:16 UTC by Pedro Sampaio
Modified: 2021-06-09 13:35 UTC (History)
82 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in thrift. Golang Facebook Thrift servers would not error upon receiving messages declaring containers of sizes larger than the payload. As a result, malicious clients could send short messages which would result in a large memory allocation, potentially leading to denial of service.
Clone Of:
Environment:
Last Closed: 2020-04-24 04:31:45 UTC


Attachments (Terms of Use)

Description Pedro Sampaio 2020-03-23 20:16:39 UTC
Golang Facebook Thrift servers would not error upon receiving messages declaring containers of sizes larger than the payload. As a result, malicious clients could send short messages which would result in a large memory allocation, potentially leading to denial of service. This issue affects Facebook Thrift prior to v2020.03.16.00.

Upstream patch:

https://github.com/facebook/fbthrift/commit/483ed864d69f307e9e3b9dadec048216100c0757

References:

https://www.facebook.com/security/advisories/cve-2019-11939

Comment 1 Pedro Sampaio 2020-03-23 20:17:42 UTC
Created thrift tracking bugs for this issue:

Affects: epel-7 [bug 1816348]
Affects: fedora-all [bug 1816347]

Comment 2 Christopher Tubbs 2020-03-24 06:36:19 UTC
The CVE description specifically identifies Facebook's fbthrift. However, that is not what is packaged in Fedora and EPEL. What is packaged in Fedora and EPEL is Apache Thrift. Is there an analogous CVE or bug tracker for the Apache Thrift project?

Comment 3 Jonathan Christison 2020-03-24 13:41:24 UTC
This vulnerability is out of security support scope for the following products:
 * Red Hat Jboss Fuse 6
 * Fuse Service Works 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes
for more details.

Comment 4 Mark Cooper 2020-03-26 00:50:46 UTC
In reply to comment #2:
> The CVE description specifically identifies Facebook's fbthrift. However,
> that is not what is packaged in Fedora and EPEL. What is packaged in Fedora
> and EPEL is Apache Thrift. Is there an analogous CVE or bug tracker for the
> Apache Thrift project?

Agreed. I'm just following that up now - not sure if there's any bug for it with the Apache Thrift project. 

At first glance this looks like it will affect Apache Thrift as well as they do share the affected code. But I haven't fully tested where it truly is yet.

Comment 7 Jonathan Christison 2020-04-09 15:13:09 UTC
This vulnerability is out of security support scope for the following products:
 * Red Hat JBoss Data Virtualization 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes
for more details.

Comment 10 Product Security DevOps Team 2020-04-24 04:31:45 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-11939


Note You need to log in before you can comment on or make changes to this bug.