Bug 13328

Summary: [CVE 21] thrift 0.10.0 CVEs found
Product: [ROSA-based products] ROSA Fresh Reporter: Yury <y.tumanov>
Component: System (kernel, glibc, systemd, bash, PAM...)Assignee: ROSA Linux Bugs <bugs>
Status: RESOLVED FIXED QA Contact: ROSA Linux Bugs <bugs>
Severity: critical    
Priority: High CC: a.proklov, pastordidi, s.matveev, v.potapov, y.tumanov
Version: AllFlags: v.potapov: qa_verified+
y.tumanov: secteam_verified+
a.proklov: published+
Target Milestone: 2021.1 Fresh R12   
Hardware: All   
OS: Linux   
URL: CVE-2018-11798, CVE-2018-1320, CVE-2019-0210, CVE-2019-11938, CVE-2019-11939, CVE-2019-3552, CVE-2019-3553, CVE-2019-3558, CVE-2019-3559, CVE-2019-3564, CVE-2019-3565, CVE-2020-13949, CVE-2021-24028,
Whiteboard:
Platform: 2021.1 ROSA Vulnerability identifier:
RPM Package: ISO-related:
Bad POT generating: Upstream:

Description Yury 2023-05-03 18:03:30 MSK 
Please patch CVEs for package thrift version 0.10.0
  
INFO (CVEs are): thrift 0.10.0
 cves found
CVE-2018-11798
Desc: The Apache Thrift Node.js static web server in versions 0.9.2 through 0.11.0 have been determined to contain a security vulnerability in which a remote user has the ability to access files outside the set webservers docroot path.
Link: https://nvd.nist.gov/vuln/detail/CVE-2018-11798
Severity: MEDIUM
CVE-2018-1320
Desc: Apache Thrift Java client library versions 0.5.0 through 0.11.0 can bypass SASL negotiation isComplete validation in the org.apache.thrift.transport.TSaslTransport class. An assert used to determine if the SASL handshake had successfully completed could be disabled in production settings making the validation incomplete.
Link: https://nvd.nist.gov/vuln/detail/CVE-2018-1320
Severity: HIGH
CVE-2019-0210
Desc: In Apache Thrift 0.9.3 to 0.12.0, a server implemented in Go using TJSONProtocol or TSimpleJSONProtocol may panic when feed with invalid input data.
Link: https://nvd.nist.gov/vuln/detail/CVE-2019-0210
Severity: HIGH
CVE-2019-11938
Desc: Java Facebook Thrift servers would not error upon receiving messages declaring containers of sizes larger than the payload. As a result, malicious clients could send short messages which would result in a large memory allocation, potentially leading to denial of service. This issue affects Facebook Thrift prior to v2019.12.09.00.
Link: https://nvd.nist.gov/vuln/detail/CVE-2019-11938
Severity: HIGH
CVE-2019-11939
Desc: Golang Facebook Thrift servers would not error upon receiving messages declaring containers of sizes larger than the payload. As a result, malicious clients could send short messages which would result in a large memory allocation, potentially leading to denial of service. This issue affects Facebook Thrift prior to v2020.03.16.00.
Link: https://nvd.nist.gov/vuln/detail/CVE-2019-11939
Severity: HIGH
CVE-2019-3552
Desc: C++ Facebook Thrift servers (using cpp2) would not error upon receiving messages with containers of fields of unknown type. As a result, malicious clients could send short messages which would take a long time for the server to parse, potentially leading to denial of service. This issue affects Facebook Thrift prior to v2019.02.18.00.
Link: https://nvd.nist.gov/vuln/detail/CVE-2019-3552
Severity: HIGH
CVE-2019-3553
Desc: C++ Facebook Thrift servers would not error upon receiving messages declaring containers of sizes larger than the payload. As a result, malicious clients could send short messages which would result in a large memory allocation, potentially leading to denial of service. This issue affects Facebook Thrift prior to v2020.02.03.00.
Link: https://nvd.nist.gov/vuln/detail/CVE-2019-3553
Severity: HIGH
CVE-2019-3558
Desc: Python Facebook Thrift servers would not error upon receiving messages with containers of fields of unknown type. As a result, malicious clients could send short messages which would take a long time for the server to parse, potentially leading to denial of service. This issue affects Facebook Thrift prior to v2019.02.18.00.
Link: https://nvd.nist.gov/vuln/detail/CVE-2019-3558
Severity: HIGH
CVE-2019-3559
Desc: Java Facebook Thrift servers would not error upon receiving messages with containers of fields of unknown type. As a result, malicious clients could send short messages which would take a long time for the server to parse, potentially leading to denial of service. This issue affects Facebook Thrift prior to v2019.02.18.00.
Link: https://nvd.nist.gov/vuln/detail/CVE-2019-3559
Severity: HIGH
CVE-2019-3564
Desc: Go Facebook Thrift servers would not error upon receiving messages with containers of fields of unknown type. As a result, malicious clients could send short messages which would take a long time for the server to parse, potentially leading to denial of service. This issue affects Facebook Thrift prior to v2019.03.04.00.
Link: https://nvd.nist.gov/vuln/detail/CVE-2019-3564
Severity: HIGH
CVE-2019-3565
Desc: Legacy C++ Facebook Thrift servers (using cpp instead of cpp2) would not error upon receiving messages with containers of fields of unknown type. As a result, malicious clients could send short messages which would take a long time for the server to parse, potentially leading to denial of service. This issue affects Facebook Thrift prior to v2019.05.06.00.
Link: https://nvd.nist.gov/vuln/detail/CVE-2019-3565
Severity: HIGH
CVE-2020-13949
Desc: In Apache Thrift 0.9.3 to 0.13.0, malicious RPC clients could send short messages which would result in a large memory allocation, potentially leading to denial of service.
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-13949
Severity: HIGH
CVE-2021-24028
Desc: An invalid free in Thrift's table-based serialization can cause the application to crash or potentially result in code execution or other undesirable effects. This issue affects Facebook Thrift prior to v2021.02.22.00.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-24028
Severity: CRITICAL
Comment 1 Svyatoslav Matveev 2023-05-25 11:32:42 MSK 
********** QA ADVISORY **********

CVE-2018-11798 не собираем под nodejs

CVE-2019-11938 CVE-2019-11939 CVE-2019-3552 
CVE-2019-3553  CVE-2019-3558  CVE-2019-3559
CVE-2019-3564  CVE-2019-3565  CVE-2021-24028
не относится к нашему пакету,
https://github.com/facebook/fbthrift

CVE-2020-13949 не могу найти патч.

CVE-2018-1320 CVE-2019-0210 закрыты.

*** thrift

https://abf.io/build_lists/4444059
https://abf.io/build_lists/4444058
Comment 2 Dmitry Postnikov 2023-05-26 09:39:51 MSK 
***************************
The update sent to testings
Comment 3 Vladimir Potapov 2023-05-31 09:41:59 MSK 
thrift-0.10.0-18
https://abf.io/build_lists/4444059
https://abf.io/build_lists/4444058
****************************** Advisory **************************
CVE-2018-1320 CVE-2019-0210 fixed
******************************************************************
QA Verified
Comment 4 Yury 2023-07-25 16:49:39 MSK 

CVE-2018-11798 не собираем под nodejs

CVE-2019-11938 CVE-2019-11939 CVE-2019-3552 
CVE-2019-3553  CVE-2019-3558  CVE-2019-3559
CVE-2019-3564  CVE-2019-3565  CVE-2021-24028

надо в спек включить в коммент через # Not actual: ... 

CVE-2020-13949

будем ждать

Secteam Verified
Comment 5 Yury 2023-10-27 20:52:14 MSK 

*** This bug has been marked as a duplicate of bug 13816 ***
Comment 6 Yury 2023-10-27 20:52:52 MSK 
secteam_verified