You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@thrift.apache.org by Jens Geyer <je...@apache.org> on 2021/02/11 22:43:29 UTC
[SECURITY] CVE-2020-13949 Announcement
CVE-2020-13949: potential DoS when processing untrusted Thrift payloads
Severity: Important
Vendor:
The Apache Software Foundation
Versions Affected:
Apache Thrift up to and including 0.13.0
Description:
Applications using Thrift would not error upon receiving messages declaring containers of sizes larger than the payload. As a result, malicious RPC clients could send short messages which would result in a large memory allocation, potentially leading to denial of service.
Mitigation:
Upgrade to version 0.14.0
Credit:
This issue was reported by Hasnain Lakhani of Facebook.
On behalf of the Apache Thrift PMC,
Jens Geyer
Re: [SECURITY] CVE-2020-13949 Announcement
Posted by Yuta Kawadai <yu...@gmail.com>.
Thanks for adding comments to JIRA tickets.
I was able to find these tickets.
- https://issues.apache.org/jira/browse/THRIFT-5007
- https://issues.apache.org/jira/browse/THRIFT-5021
- https://issues.apache.org/jira/browse/THRIFT-5237
Best regards,
Yuta
2021年2月25日(木) 4:55 Jens Geyer <je...@hotmail.com>:
> Done
>
> -----Ursprüngliche Nachricht-----
> From: Yuta Kawadai
> Sent: Wednesday, February 24, 2021 2:45 PM
> To: user@thrift.apache.org
> Subject: Re: [SECURITY] CVE-2020-13949 Announcement
>
> Hi
>
> Would you be able to tell me JIRA ticket or github's PR# which addressed
> this CVE?
> I couldn't find them...
>
> Best regards,
> Yuta Kawadai
>
> On 2021/02/11 22:43:29, "Jens Geyer" <je...@apache.org> wrote:
> > CVE-2020-13949: potential DoS when processing untrusted Thrift payloads
> >
> > Severity: Important
> >
> > Vendor:
> > The Apache Software Foundation
> >
> > Versions Affected:
> > Apache Thrift up to and including 0.13.0
> >
> > Description:
> > Applications using Thrift would not error upon receiving messages
> > declaring containers of sizes larger than the payload. As a result,
> > malicious RPC clients could send short messages which would result in a
> > large memory allocation, potentially leading to denial of service.
> >
> > Mitigation:
> > Upgrade to version 0.14.0
> >
> > Credit:
> > This issue was reported by Hasnain Lakhani of Facebook.
> >
> > On behalf of the Apache Thrift PMC,
> > Jens Geyer
>
>
Re: [SECURITY] CVE-2020-13949 Announcement
Posted by Jens Geyer <je...@hotmail.com>.
Done
-----Ursprüngliche Nachricht-----
From: Yuta Kawadai
Sent: Wednesday, February 24, 2021 2:45 PM
To: user@thrift.apache.org
Subject: Re: [SECURITY] CVE-2020-13949 Announcement
Hi
Would you be able to tell me JIRA ticket or github's PR# which addressed
this CVE?
I couldn't find them...
Best regards,
Yuta Kawadai
On 2021/02/11 22:43:29, "Jens Geyer" <je...@apache.org> wrote:
> CVE-2020-13949: potential DoS when processing untrusted Thrift payloads
>
> Severity: Important
>
> Vendor:
> The Apache Software Foundation
>
> Versions Affected:
> Apache Thrift up to and including 0.13.0
>
> Description:
> Applications using Thrift would not error upon receiving messages
> declaring containers of sizes larger than the payload. As a result,
> malicious RPC clients could send short messages which would result in a
> large memory allocation, potentially leading to denial of service.
>
> Mitigation:
> Upgrade to version 0.14.0
>
> Credit:
> This issue was reported by Hasnain Lakhani of Facebook.
>
> On behalf of the Apache Thrift PMC,
> Jens Geyer
Re: [SECURITY] CVE-2020-13949 Announcement
Posted by Yuta Kawadai <yu...@gmail.com>.
Hi
Would you be able to tell me JIRA ticket or github's PR# which addressed this CVE?
I couldn't find them...
Best regards,
Yuta Kawadai
On 2021/02/11 22:43:29, "Jens Geyer" <je...@apache.org> wrote:
> CVE-2020-13949: potential DoS when processing untrusted Thrift payloads
>
> Severity: Important
>
> Vendor:
> The Apache Software Foundation
>
> Versions Affected:
> Apache Thrift up to and including 0.13.0
>
> Description:
> Applications using Thrift would not error upon receiving messages declaring containers of sizes larger than the payload. As a result, malicious RPC clients could send short messages which would result in a large memory allocation, potentially leading to denial of service.
>
> Mitigation:
> Upgrade to version 0.14.0
>
> Credit:
> This issue was reported by Hasnain Lakhani of Facebook.
>
> On behalf of the Apache Thrift PMC,
> Jens Geyer