Описание
In Apache Thrift 0.9.3 to 0.13.0, malicious RPC clients could send short messages which would result in a large memory allocation, potentially leading to denial of service.
A flaw was found in libthrift. Applications using Thrift would not show an error upon receiving messages declaring containers of sizes larger than the payload. This results in malicious RPC clients with the ability to send short messages which would result in a large memory allocation, potentially leading to denial of service. The highest threat from this vulnerability is to system availability.
Отчет
- A vulnerable version of the libthrift library is delivered in listed OpenShift Container Platform (OCP) and OpenShift Jaeger (Jaeger) components, but the vulnerable code is not invoked, therefore these components are affected but with impact Moderate.
- For Red Hat OpenStack, because the fix would require a substantial amount of development and OpenDaylight is deprecated in all future versions (RHOSP10 was in tech preview), no update will be provided at this time for the RHOSP libthrift package.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Advanced Cluster Management for Kubernetes 2 | config-policy-controller | Not affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | endpoint-component-operator | Not affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | endpoint-operator | Not affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | governance-policy-spec-sync | Not affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | governance-policy-status-sync | Not affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | governance-policy-template-sync | Not affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | hive | Not affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | iam-policy-controller | Not affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | multicloudhub-operator | Not affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | multicloud-operators-application | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
In Apache Thrift 0.9.3 to 0.13.0, malicious RPC clients could send short messages which would result in a large memory allocation, potentially leading to denial of service.
In Apache Thrift 0.9.3 to 0.13.0, malicious RPC clients could send short messages which would result in a large memory allocation, potentially leading to denial of service.
In Apache Thrift 0.9.3 to 0.13.0, malicious RPC clients could send sho ...
Uncontrolled Resource Consumption in Apache Thrift
Уязвимость библиотеки Apache Thrift прикладного программного обеспечения Аврора Центр, связанная с неконтролируемым расходом ресурсов, позволяющая нарушителю вызвать отказ в обслуживании
EPSS
7.5 High
CVSS3