{ "threat_severity" : "Important", "public_date" : "2021-02-11T00:00:00Z", "bugzilla" : { "description" : "libthrift: potential DoS when processing untrusted payloads", "id" : "1928172", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1928172" }, "cvss3" : { "cvss3_base_score" : "7.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-400", "details" : [ "In Apache Thrift 0.9.3 to 0.13.0, malicious RPC clients could send short messages which would result in a large memory allocation, potentially leading to denial of service.", "A flaw was found in libthrift. Applications using Thrift would not show an error upon receiving messages declaring containers of sizes larger than the payload. This results in malicious RPC clients with the ability to send short messages which would result in a large memory allocation, potentially leading to denial of service. The highest threat from this vulnerability is to system availability." ], "statement" : "* A vulnerable version of the libthrift library is delivered in listed OpenShift Container Platform (OCP) and OpenShift Jaeger (Jaeger) components, but the vulnerable code is not invoked, therefore these components are affected but with impact Moderate. \n* For Red Hat OpenStack, because the fix would require a substantial amount of development and OpenDaylight is deprecated in all future versions (RHOSP10 was in tech preview), no update will be provided at this time for the RHOSP libthrift package.", "affected_release" : [ { "product_name" : "Red Hat Fuse 7.10", "release_date" : "2021-12-14T00:00:00Z", "advisory" : "RHSA-2021:5134", "cpe" : "cpe:/a:redhat:jboss_fuse:7", "package" : "libthrift", "impact" : "moderate" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date" : "2025-06-25T00:00:00Z", "advisory" : "RHSA-2025:9582", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package" : "eap7-glassfish-el-0:3.0.1-4.b08_redhat_00005.1.ep7.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date" : "2025-06-25T00:00:00Z", "advisory" : "RHSA-2025:9582", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package" : "eap7-hibernate-0:5.1.17-3.Final_redhat_00004.1.ep7.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date" : "2025-06-25T00:00:00Z", "advisory" : "RHSA-2025:9582", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package" : "eap7-jackson-databind-0:2.8.11.6-3.SP1_redhat_00003.1.ep7.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date" : "2025-06-25T00:00:00Z", "advisory" : "RHSA-2025:9582", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package" : "eap7-jboss-ejb-client-0:4.0.12-1.Final_redhat_00002.1.ep7.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date" : "2025-06-25T00:00:00Z", "advisory" : "RHSA-2025:9582", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package" : "eap7-netty-0:4.1.63-2.Final_redhat_00003.1.ep7.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date" : "2025-06-25T00:00:00Z", "advisory" : "RHSA-2025:9582", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package" : "eap7-undertow-0:1.4.18-16.SP14_redhat_00001.1.ep7.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date" : "2025-06-25T00:00:00Z", "advisory" : "RHSA-2025:9582", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package" : "eap7-wildfly-0:7.1.11-4.GA_redhat_00002.1.ep7.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date" : "2025-06-25T00:00:00Z", "advisory" : "RHSA-2025:9582", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package" : "eap7-wildfly-elytron-0:1.1.14-1.Final_redhat_00001.1.ep7.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date" : "2025-06-25T00:00:00Z", "advisory" : "RHSA-2025:9582", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package" : "eap7-wildfly-http-client-0:1.0.21-1.Final_redhat_00001.1.ep7.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date" : "2025-06-25T00:00:00Z", "advisory" : "RHSA-2025:9582", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package" : "eap7-wildfly-naming-client-0:1.0.13-1.Final_redhat_00001.1.ep7.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date" : "2025-06-25T00:00:00Z", "advisory" : "RHSA-2025:9582", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package" : "eap7-wildfly-openssl-0:1.0.12-1.Final_redhat_00001.1.ep7.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date" : "2025-06-25T00:00:00Z", "advisory" : "RHSA-2025:9582", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package" : "eap7-wildfly-openssl-linux-0:1.0.12-6.Final_redhat_00001.1.ep7.el7" }, { "product_name" : "Red Hat OpenShift Jaeger 1.20", "release_date" : "2021-06-24T00:00:00Z", "advisory" : "RHSA-2021:2543", "cpe" : "cpe:/a:redhat:jaeger:1.20::el8", "package" : "distributed-tracing/jaeger-agent-rhel8:1.20.4-18" }, { "product_name" : "Red Hat OpenShift Jaeger 1.20", "release_date" : "2021-06-24T00:00:00Z", "advisory" : "RHSA-2021:2543", "cpe" : "cpe:/a:redhat:jaeger:1.20::el8", "package" : "distributed-tracing/jaeger-all-in-one-rhel8:1.20.4-18" }, { "product_name" : "Red Hat OpenShift Jaeger 1.20", "release_date" : "2021-06-24T00:00:00Z", "advisory" : "RHSA-2021:2543", "cpe" : "cpe:/a:redhat:jaeger:1.20::el8", "package" : "distributed-tracing/jaeger-collector-rhel8:1.20.4-18" }, { "product_name" : "Red Hat OpenShift Jaeger 1.20", "release_date" : "2021-06-24T00:00:00Z", "advisory" : "RHSA-2021:2543", "cpe" : "cpe:/a:redhat:jaeger:1.20::el8", "package" : "distributed-tracing/jaeger-ingester-rhel8:1.20.4-17" }, { "product_name" : "Red Hat OpenShift Jaeger 1.20", "release_date" : "2021-06-24T00:00:00Z", "advisory" : "RHSA-2021:2543", "cpe" : "cpe:/a:redhat:jaeger:1.20::el8", "package" : "distributed-tracing/jaeger-query-rhel8:1.20.4-18" }, { "product_name" : "Red Hat OpenShift Jaeger 1.20", "release_date" : "2021-06-24T00:00:00Z", "advisory" : "RHSA-2021:2543", "cpe" : "cpe:/a:redhat:jaeger:1.20::el8", "package" : "distributed-tracing/jaeger-rhel8-operator:1.20.4-18" } ], "package_state" : [ { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "config-policy-controller", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "endpoint-component-operator", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "endpoint-operator", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "governance-policy-spec-sync", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "governance-policy-status-sync", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "governance-policy-template-sync", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "hive", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "iam-policy-controller", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "multicloudhub-operator", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "multicloud-operators-application", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "multicloud-operators-channel", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "multicloud-operators-deployable", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "multicloud-operators-foundation", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "multicloud-operators-placementrule", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "multicloud-operators-subscription", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "rcm-controller", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "search-aggregator", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "search-collector", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "search-operator", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat build of Quarkus", "fix_state" : "Affected", "package_name" : "libthrift", "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0", "impact" : "low" }, { "product_name" : "Red Hat Decision Manager 7", "fix_state" : "Not affected", "package_name" : "libthrift", "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:7" }, { "product_name" : "Red Hat Integration Camel K 1", "fix_state" : "Affected", "package_name" : "libthrift", "cpe" : "cpe:/a:redhat:integration:1", "impact" : "moderate" }, { "product_name" : "Red Hat Integration Camel Quarkus 1", "fix_state" : "Will not fix", "package_name" : "libthrift", "cpe" : "cpe:/a:redhat:camel_quarkus:2", "impact" : "moderate" }, { "product_name" : "Red Hat JBoss Data Grid 7", "fix_state" : "Out of support scope", "package_name" : "libthrift", "cpe" : "cpe:/a:redhat:jboss_data_grid:7", "impact" : "moderate" }, { "product_name" : "Red Hat JBoss Data Virtualization 6", "fix_state" : "Out of support scope", "package_name" : "libthrift", "cpe" : "cpe:/a:redhat:jboss_data_virtualization:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7", "fix_state" : "Affected", "package_name" : "libthrift", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7", "impact" : "moderate" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Will not fix", "package_name" : "libthrift", "cpe" : "cpe:/a:redhat:jbosseapxp", "impact" : "moderate" }, { "product_name" : "Red Hat JBoss Fuse 6", "fix_state" : "Out of support scope", "package_name" : "libthrift", "cpe" : "cpe:/a:redhat:jboss_fuse:6", "impact" : "moderate" }, { "product_name" : "Red Hat JBoss Operations Network 3", "fix_state" : "Out of support scope", "package_name" : "libthrift", "cpe" : "cpe:/a:redhat:jboss_operations_network:3" }, { "product_name" : "Red Hat OpenShift Application Runtimes", "fix_state" : "Affected", "package_name" : "libthrift", "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0", "impact" : "moderate" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Will not fix", "package_name" : "thrift", "cpe" : "cpe:/a:redhat:openshift:3.11", "impact" : "moderate" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Affected", "package_name" : "openshift4/cnf-tests-rhel8", "cpe" : "cpe:/a:redhat:openshift:4", "impact" : "moderate" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Will not fix", "package_name" : "openshift4/compliance-rhel8-operator", "cpe" : "cpe:/a:redhat:openshift:4", "impact" : "moderate" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Will not fix", "package_name" : "openshift4/file-integrity-rhel8-operator", "cpe" : "cpe:/a:redhat:openshift:4", "impact" : "moderate" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Will not fix", "package_name" : "openshift4-wincw/windows-machine-config-rhel8-operator", "cpe" : "cpe:/a:redhat:openshift:4", "impact" : "moderate" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Out of support scope", "package_name" : "thrift", "cpe" : "cpe:/a:redhat:openshift:4", "impact" : "moderate" }, { "product_name" : "Red Hat OpenShift Container Platform Assisted Installer 1", "fix_state" : "Not affected", "package_name" : "rhai-tech-preview/assisted-installer-agent-rhel8", "cpe" : "cpe:/a:redhat:assisted_installer:1", "impact" : "moderate" }, { "product_name" : "Red Hat OpenShift Container Platform Assisted Installer 1", "fix_state" : "Not affected", "package_name" : "rhai-tech-preview/assisted-installer-reporter-rhel8", "cpe" : "cpe:/a:redhat:assisted_installer:1", "impact" : "moderate" }, { "product_name" : "Red Hat OpenShift Container Platform Assisted Installer 1", "fix_state" : "Not affected", "package_name" : "rhai-tech-preview/assisted-installer-rhel8", "cpe" : "cpe:/a:redhat:assisted_installer:1", "impact" : "moderate" }, { "product_name" : "Red Hat OpenStack Platform 10 (Newton)", "fix_state" : "Out of support scope", "package_name" : "opendaylight", "cpe" : "cpe:/a:redhat:openstack:10" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Will not fix", "package_name" : "opendaylight", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat Single Sign-On 7", "fix_state" : "Will not fix", "package_name" : "libthrift", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7", "impact" : "moderate" }, { "product_name" : "streams for Apache Kafka", "fix_state" : "Affected", "package_name" : "libthrift", "cpe" : "cpe:/a:redhat:amq_streams:1", "impact" : "moderate" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-13949\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-13949" ], "name" : "CVE-2020-13949", "csaw" : false }