[
https://issues.apache.org/jira/browse/THRIFT-5293?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17211060#comment-17211060
]
Max commented on THRIFT-5293:
-----------------------------
Hi.
First: see [https://www.apache.org/security/]. Public Jira is not appropriate
to report security issues in Apache Thrift.
Second: just because a tool tells you there's an issue, does not mean anything.
You are expected to analyze each and every detection yourself (maybe with help
of IT security department at your company) and use your own judgment.
Third: as a matter of courtesy and goodwill, I'll do part of your job for you.
Let's go one by one.
*CVE-2016-5397*: _The Apache Thrift Go client library exposed the potential
during code generation for command injection due to using an external
formatting tool. Affected Apache Thrift 0.9.3 and older, Fixed in Apache Thrift
0.10.0._
Current Thrift version is 0.13.0. You have to update to at least 0.10.0 if this
issue affects you. This issue affects you if all of the following holds true:
you use Golang code generated by Thrift <= 0.9.3; your IDL files are not
trusted; your threat model includes malicious developers crafting IDL files to
exploit the vulnerability, for e.g. gaining access to CI systems.
*CVE-2018-11798*: _The Apache Thrift Node.js static web server in versions
0.9.2 through 0.11.0 have been determined to contain a security vulnerability
in which a remote user has the ability to access files outside the set
webservers docroot path._
Current Thrift version is 0.13.0. You have to update to at least 0.11.0 if this
issue affects you. This issue affects you if all of the following holds true:
you use Node.js servers generated by Thrift [0.9.2..0.11.0] which are
accessible across a trust boundary.
*CVE-2018-1320*: _Apache Thrift Java client library versions 0.5.0 through
0.11.0 can bypass SASL negotiation isComplete validation in the
org.apache.thrift.transport.TSaslTransport class. An assert used to determine
if the SASL handshake had successfully completed could be disabled in
production settings making the validation incomplete._
Current Thrift version is 0.13.0. You have to update to at least 0.12.0 if this
issue affects you. This issue affects you if all of the following holds true:
you use Java clients generated by Thrift [0.5.0..0.11.0] which utilize
TSaslTransport to connect to servers across a trust boundary.
*CVE-2019-0205*: _In Apache Thrift all versions up to and including 0.12.0, a
server or client may run into an endless loop when feed with specific input
data. Because the issue had already been partially fixed in version 0.11.0,
depending on the installed version it affects only certain language bindings._
Current Thrift version is 0.13.0. You have to update to 0.13.0 if this issue
affects you.
*CVE-2019-0210*: _In Apache Thrift 0.9.3 to 0.12.0, a server implemented in Go
using TJSONProtocol or TSimpleJSONProtocol may panic when feed with invalid
input data._
Current Thrift version is 0.13.0. You have to update to 0.13.0 if this issue
affects you.
----
Just to make it clear: your responsibility does not end with posting a
detection screenshot to the bug tracker. You're supposed to do your own
research (nvd.nist.gov has plenty of links detailing each issue). Nobody from
Apache has any obligation to do this research for you.
In summary: all the issues have been fixed in the latest Thrift version, and
besides that there's barely anything Apache can do to help you. Update to the
latest version if the issues affect your systems.
> Blackduck shows the security vulnerabilities in libfb303:0.9.3
> --------------------------------------------------------------
>
> Key: THRIFT-5293
> URL: https://issues.apache.org/jira/browse/THRIFT-5293
> Project: Thrift
> Issue Type: Bug
> Components: Java - Library
> Affects Versions: 0.9.3
> Reporter: suraj misra
> Priority: Critical
> Attachments: Security_vulnerabilities.JPG
>
>
> Blackduck shows the security vulnerabilities in libfb303:0.9.3
> !Security_vulnerabilities.JPG!
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
