Description

In Apache Thrift all versions up to and including 0.12.0, a server or client may run into an endless loop when feed with specific input data. Because the issue had already been partially fixed in version 0.11.0, depending on the installed version it affects only certain language bindings.

Remediation

References

https://www.oracle.com//security-alerts/cpujul2021.html

http://mail-archives.apache.org/mod_mbox/thrift-dev/201910.mbox/%3CVI1PR0101MB2142E0EA19F582429C3AEBCBB1920%40VI1PR0101MB2142.eurprd01.prod.exchangelabs.com%3E

https://access.redhat.com/errata/RHSA-2020:0804

https://access.redhat.com/errata/RHSA-2020:0805

https://access.redhat.com/errata/RHSA-2020:0806

https://access.redhat.com/errata/RHSA-2020:0811

https://lists.apache.org/thread.html/003ac686189e6ce7b99267784d04bf60059a8c323eeda5a79a0309b8%40%3Ccommits.cassandra.apache.org%3E

https://lists.apache.org/thread.html/07bd68ad237a5d513751d6d2731a8828f902c738ea57d85c1a72bad3%40%3Cdev.thrift.apache.org%3E

https://lists.apache.org/thread.html/0d058e1bfd11727c4f2e2adf4b6e403a47c38e22431ab20066a1ac79%40%3Cdev.thrift.apache.org%3E

https://lists.apache.org/thread.html/1193444c17f499f92cd198d464a2c1ffc92182c83487345a854914b3%40%3Cuser.thrift.apache.org%3E

https://lists.apache.org/thread.html/1c18ec6ebfea0a9211992be952e8b33d0fda202c077979b84a5e09a8%40%3Cuser.thrift.apache.org%3E

https://lists.apache.org/thread.html/3dfa054b89274c9109c26ed1843ca15a14c03786f4016d26773878ae%40%3Cdev.thrift.apache.org%3E

https://lists.apache.org/thread.html/928cae83d20d8d8196c26118f7084aa37573e1d31162381fb9454fb5%40%3Cdev.thrift.apache.org%3E

https://lists.apache.org/thread.html/9f7150d0b02e72d1154721a412e80cf797f1b7cfa295fcefc67b1381%40%3Ccommits.cassandra.apache.org%3E

https://lists.apache.org/thread.html/a9669756befaeb0f8e08766d3f4d410a0fce85da3a570506f71f0b67%40%3Cdev.thrift.apache.org%3E

https://lists.apache.org/thread.html/r0c606d4be9aa163d132edf8edd8eb55e7b9464063b99acbbf6e9e287%40%3Cissues.hive.apache.org%3E

https://lists.apache.org/thread.html/r0d08f5576286f4a042aabde13ecf58979644f6dc210f25aa9a4d469b%40%3Cdev.thrift.apache.org%3E

https://lists.apache.org/thread.html/r137753c9df8dd9065bea27a26af49aadc406b5a57fc584fefa008afd%40%3Cdev.thrift.apache.org%3E

https://lists.apache.org/thread.html/r1b1a92c229ead94d53b3bcde9e624d002b54f1c6fdb830b9f4da20e1%40%3Cdev.thrift.apache.org%3E

https://lists.apache.org/thread.html/r228ac842260c2c516af7b09f3cf4cf76e5b9c002e359954a203ab5a5%40%3Cdev.thrift.apache.org%3E

https://lists.apache.org/thread.html/r2832722c31d78bef7526e2c701ba4b046736e4c851473194a247392f%40%3Ccommits.pulsar.apache.org%3E

https://lists.apache.org/thread.html/r36581cc7047f007dd6aadbdd34e18545ec2c1eb7ccdae6dd47a877a9%40%3Ccommits.pulsar.apache.org%3E

https://lists.apache.org/thread.html/r3887b48b183b6fa43e59398bd170a99239c0a16264cb5175b5b689d0%40%3Ccommits.cassandra.apache.org%3E

https://lists.apache.org/thread.html/r4633082b834eebccd0d322697651d931ab10ca9c51ee7ef18e1f60f4%40%3Cdev.thrift.apache.org%3E

https://lists.apache.org/thread.html/r4d3f1d3e333d9c2b2f6e6ae8ed8750d4de03410ac294bcd12c7eefa3%40%3Ccommits.cassandra.apache.org%3E

https://lists.apache.org/thread.html/r50bf84c60867574238d18cdad5da9f303b618114c35566a3a001ae08%40%3Cdev.hive.apache.org%3E

https://lists.apache.org/thread.html/r53c03e1c979b9c628d0d65e0f49dd9a9f9d7572838727ad11b750575%40%3Cuser.cassandra.apache.org%3E

https://lists.apache.org/thread.html/r55609613abab203a1f2c1f3de050b63ae8f5c4a024df0d848d6915ff%40%3Ccommits.pulsar.apache.org%3E

https://lists.apache.org/thread.html/r569b2b3da41ff45bfacfca6787a4a8728edd556e185b69b140181d9d%40%3Cdev.thrift.apache.org%3E

https://lists.apache.org/thread.html/r573029c2f8632e3174b9eea7cd57f9c9df33f2f706450e23fc57750a%40%3Ccommits.thrift.apache.org%3E

https://lists.apache.org/thread.html/r67a704213d13326771f46c84bbd84c8281bb93946e155e0e40abcb4c%40%3Ccommits.cassandra.apache.org%3E

https://lists.apache.org/thread.html/r73a3c8b80765e3d2430ff51f22b778d0c917919f01815b69ed16cf9d%40%3Cissues.hive.apache.org%3E

https://lists.apache.org/thread.html/r7859e767c90c8f4971dec50f801372aa64e88f143c3e8a265a36f9b4%40%3Cuser.cassandra.apache.org%3E

https://lists.apache.org/thread.html/r92b7771afee2625209c36727fefdc77033964e9a1daa81ec3327e625%40%3Cuser.cassandra.apache.org%3E

https://lists.apache.org/thread.html/r934f312dd5add7276ac2de684d8b237554ff9f34479a812df5fd6aee%40%3Ccommits.cassandra.apache.org%3E

https://lists.apache.org/thread.html/rab740e5c70424ef79fd095a4b076e752109aeee41c4256c2e5e5e142%40%3Ccommits.pulsar.apache.org%3E

https://lists.apache.org/thread.html/rb139fa1d2714822d8c6e6f3bd6f5d5c91844d313201185c409288fd9%40%3Ccommits.cassandra.apache.org%3E

https://lists.apache.org/thread.html/rba61c1f3a3b1960a6a694775b1a437751eba0825f30188f69387fe90%40%3Cdev.thrift.apache.org%3E

https://lists.apache.org/thread.html/rce0d368a78b42c545f26c2e6e91e2b8a91b27b60d0cb45fe1911d337%40%3Cnotifications.thrift.apache.org%3E

https://lists.apache.org/thread.html/re387dc6ca11cb0b0ce4de8e800bb91ca50fee054b80105f5cd34adcb%40%3Cdev.thrift.apache.org%3E

https://lists.apache.org/thread.html/rf359e5cc6a185494fc0cfe837fe82f7db2ef49242d35cbf3895aebce%40%3Cdev.thrift.apache.org%3E

https://security.gentoo.org/glsa/202107-32

Related Vulnerabilities

CVE-2022-29256 Vulnerability in npm package sharp

CVE-2019-8331 Vulnerability in maven package org.webjars.npm:bootstrap

CVE-2012-0803 Vulnerability in maven package org.apache.cxf:cxf-bundle

CVE-2022-39236 Vulnerability in npm package matrix-js-sdk

CVE-2011-5064 Vulnerability in maven package org.apache.tomcat:catalina

Severity

High

Classification

CWE-835 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Tags

Patch Third Party Advisory Mailing List Vendor Advisory