Golang Facebook Thrift servers would not error upon receiving messages declaring containers of sizes larger than the payload. As a result, malicious clients could send short messages which would result in a large memory allocation, potentially leading to denial of service. This issue affects Facebook Thrift prior to v2020.03.16.00. Upstream patch: https://github.com/facebook/fbthrift/commit/483ed864d69f307e9e3b9dadec048216100c0757 References: https://www.facebook.com/security/advisories/cve-2019-11939
Created thrift tracking bugs for this issue: Affects: epel-7 [bug 1816348] Affects: fedora-all [bug 1816347]
The CVE description specifically identifies Facebook's fbthrift. However, that is not what is packaged in Fedora and EPEL. What is packaged in Fedora and EPEL is Apache Thrift. Is there an analogous CVE or bug tracker for the Apache Thrift project?
This vulnerability is out of security support scope for the following products: * Red Hat Jboss Fuse 6 * Fuse Service Works 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
In reply to comment #2: > The CVE description specifically identifies Facebook's fbthrift. However, > that is not what is packaged in Fedora and EPEL. What is packaged in Fedora > and EPEL is Apache Thrift. Is there an analogous CVE or bug tracker for the > Apache Thrift project? Agreed. I'm just following that up now - not sure if there's any bug for it with the Apache Thrift project. At first glance this looks like it will affect Apache Thrift as well as they do share the affected code. But I haven't fully tested where it truly is yet.
This vulnerability is out of security support scope for the following products: * Red Hat JBoss Data Virtualization 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-11939