You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@cassandra.apache.org by rammohan ganapavarapu <ra...@gmail.com> on 2021/10/05 00:02:56 UTC

Vulnerability in libthrift library (CVE-2019-0205)

Hi,

There is this vulnerability (CVE-2019-0205) reported in libthrift library
using Cassandra version 3.11.6, what is the impact of this and what are the
mitigation steps?

Thanks,
Ram

Re: Vulnerability in libthrift library (CVE-2019-0205)

Posted by rammohan ganapavarapu <ra...@gmail.com>.

Thank you.

On Tue, Oct 5, 2021 at 9:19 AM Aaron Ploetz <aa...@gmail.com> wrote:

> In reading the Jira ticket, I see this line:
>
> "a server or client may run into an endless loop *when fed with specific
> input data.*"
>
> That seems to suggest that if the cassandra.yaml contains start_rpc: false,
> you should be ok.
>
> On Mon, Oct 4, 2021 at 8:12 PM rammohan ganapavarapu <
> rammohanganap@gmail.com> wrote:
>
>> We are not using thrift but the lib is there with Cassandra binary right?
>> Does it cause any risk?
>>
>> On Mon, Oct 4, 2021, 5:53 PM Erick Ramirez <er...@datastax.com>
>> wrote:
>>
>>> See https://issues.apache.org/jira/browse/CASSANDRA-15420. It only
>>> applies if you're still using Thrift in 2021. Cheers!
>>>
>>

Re: Vulnerability in libthrift library (CVE-2019-0205)

Posted by Aaron Ploetz <aa...@gmail.com>.

In reading the Jira ticket, I see this line:

"a server or client may run into an endless loop *when fed with specific
input data.*"

That seems to suggest that if the cassandra.yaml contains start_rpc: false,
you should be ok.

On Mon, Oct 4, 2021 at 8:12 PM rammohan ganapavarapu <
rammohanganap@gmail.com> wrote:

> We are not using thrift but the lib is there with Cassandra binary right?
> Does it cause any risk?
>
> On Mon, Oct 4, 2021, 5:53 PM Erick Ramirez <er...@datastax.com>
> wrote:
>
>> See https://issues.apache.org/jira/browse/CASSANDRA-15420. It only
>> applies if you're still using Thrift in 2021. Cheers!
>>
>

Re: Vulnerability in libthrift library (CVE-2019-0205)

Posted by rammohan ganapavarapu <ra...@gmail.com>.

We are not using thrift but the lib is there with Cassandra binary right?
Does it cause any risk?

On Mon, Oct 4, 2021, 5:53 PM Erick Ramirez <er...@datastax.com>
wrote:

> See https://issues.apache.org/jira/browse/CASSANDRA-15420. It only
> applies if you're still using Thrift in 2021. Cheers!
>

Re: Vulnerability in libthrift library (CVE-2019-0205)

Posted by Erick Ramirez <er...@datastax.com>.

See https://issues.apache.org/jira/browse/CASSANDRA-15420. It only applies
if you're still using Thrift in 2021. Cheers!