Description

In Apache Thrift all versions up to and including 0.12.0, a server or client may run into an endless loop when feed with specific input data. Because the issue had already been partially fixed in version 0.11.0, depending on the installed version it affects only certain language bindings.

Remediation

References

https://www.oracle.com//security-alerts/cpujul2021.html

http://mail-archives.apache.org/mod_mbox/thrift-dev/201910.mbox/%3CVI1PR0101MB2142E0EA19F582429C3AEBCBB1920%40VI1PR0101MB2142.eurprd01.prod.exchangelabs.com%3E

https://access.redhat.com/errata/RHSA-2020:0804

https://access.redhat.com/errata/RHSA-2020:0805

https://access.redhat.com/errata/RHSA-2020:0806

https://access.redhat.com/errata/RHSA-2020:0811

https://lists.apache.org/thread.html/003ac686189e6ce7b99267784d04bf60059a8c323eeda5a79a0309b8%40%3Ccommits.cassandra.apache.org%3E

https://lists.apache.org/thread.html/07bd68ad237a5d513751d6d2731a8828f902c738ea57d85c1a72bad3%40%3Cdev.thrift.apache.org%3E

https://lists.apache.org/thread.html/0d058e1bfd11727c4f2e2adf4b6e403a47c38e22431ab20066a1ac79%40%3Cdev.thrift.apache.org%3E

https://lists.apache.org/thread.html/1193444c17f499f92cd198d464a2c1ffc92182c83487345a854914b3%40%3Cuser.thrift.apache.org%3E

https://lists.apache.org/thread.html/1c18ec6ebfea0a9211992be952e8b33d0fda202c077979b84a5e09a8%40%3Cuser.thrift.apache.org%3E

https://lists.apache.org/thread.html/3dfa054b89274c9109c26ed1843ca15a14c03786f4016d26773878ae%40%3Cdev.thrift.apache.org%3E

https://lists.apache.org/thread.html/928cae83d20d8d8196c26118f7084aa37573e1d31162381fb9454fb5%40%3Cdev.thrift.apache.org%3E

https://lists.apache.org/thread.html/9f7150d0b02e72d1154721a412e80cf797f1b7cfa295fcefc67b1381%40%3Ccommits.cassandra.apache.org%3E

https://lists.apache.org/thread.html/a9669756befaeb0f8e08766d3f4d410a0fce85da3a570506f71f0b67%40%3Cdev.thrift.apache.org%3E

https://lists.apache.org/thread.html/r0c606d4be9aa163d132edf8edd8eb55e7b9464063b99acbbf6e9e287%40%3Cissues.hive.apache.org%3E

https://lists.apache.org/thread.html/r0d08f5576286f4a042aabde13ecf58979644f6dc210f25aa9a4d469b%40%3Cdev.thrift.apache.org%3E

https://lists.apache.org/thread.html/r137753c9df8dd9065bea27a26af49aadc406b5a57fc584fefa008afd%40%3Cdev.thrift.apache.org%3E

https://lists.apache.org/thread.html/r1b1a92c229ead94d53b3bcde9e624d002b54f1c6fdb830b9f4da20e1%40%3Cdev.thrift.apache.org%3E

https://lists.apache.org/thread.html/r228ac842260c2c516af7b09f3cf4cf76e5b9c002e359954a203ab5a5%40%3Cdev.thrift.apache.org%3E

https://lists.apache.org/thread.html/r2832722c31d78bef7526e2c701ba4b046736e4c851473194a247392f%40%3Ccommits.pulsar.apache.org%3E

https://lists.apache.org/thread.html/r36581cc7047f007dd6aadbdd34e18545ec2c1eb7ccdae6dd47a877a9%40%3Ccommits.pulsar.apache.org%3E

https://lists.apache.org/thread.html/r3887b48b183b6fa43e59398bd170a99239c0a16264cb5175b5b689d0%40%3Ccommits.cassandra.apache.org%3E

https://lists.apache.org/thread.html/r4633082b834eebccd0d322697651d931ab10ca9c51ee7ef18e1f60f4%40%3Cdev.thrift.apache.org%3E

https://lists.apache.org/thread.html/r4d3f1d3e333d9c2b2f6e6ae8ed8750d4de03410ac294bcd12c7eefa3%40%3Ccommits.cassandra.apache.org%3E

https://lists.apache.org/thread.html/r50bf84c60867574238d18cdad5da9f303b618114c35566a3a001ae08%40%3Cdev.hive.apache.org%3E

https://lists.apache.org/thread.html/r53c03e1c979b9c628d0d65e0f49dd9a9f9d7572838727ad11b750575%40%3Cuser.cassandra.apache.org%3E

https://lists.apache.org/thread.html/r55609613abab203a1f2c1f3de050b63ae8f5c4a024df0d848d6915ff%40%3Ccommits.pulsar.apache.org%3E

https://lists.apache.org/thread.html/r569b2b3da41ff45bfacfca6787a4a8728edd556e185b69b140181d9d%40%3Cdev.thrift.apache.org%3E

https://lists.apache.org/thread.html/r573029c2f8632e3174b9eea7cd57f9c9df33f2f706450e23fc57750a%40%3Ccommits.thrift.apache.org%3E

https://lists.apache.org/thread.html/r67a704213d13326771f46c84bbd84c8281bb93946e155e0e40abcb4c%40%3Ccommits.cassandra.apache.org%3E

https://lists.apache.org/thread.html/r73a3c8b80765e3d2430ff51f22b778d0c917919f01815b69ed16cf9d%40%3Cissues.hive.apache.org%3E

https://lists.apache.org/thread.html/r7859e767c90c8f4971dec50f801372aa64e88f143c3e8a265a36f9b4%40%3Cuser.cassandra.apache.org%3E

https://lists.apache.org/thread.html/r92b7771afee2625209c36727fefdc77033964e9a1daa81ec3327e625%40%3Cuser.cassandra.apache.org%3E

https://lists.apache.org/thread.html/r934f312dd5add7276ac2de684d8b237554ff9f34479a812df5fd6aee%40%3Ccommits.cassandra.apache.org%3E

https://lists.apache.org/thread.html/rab740e5c70424ef79fd095a4b076e752109aeee41c4256c2e5e5e142%40%3Ccommits.pulsar.apache.org%3E

https://lists.apache.org/thread.html/rb139fa1d2714822d8c6e6f3bd6f5d5c91844d313201185c409288fd9%40%3Ccommits.cassandra.apache.org%3E

https://lists.apache.org/thread.html/rba61c1f3a3b1960a6a694775b1a437751eba0825f30188f69387fe90%40%3Cdev.thrift.apache.org%3E

https://lists.apache.org/thread.html/rce0d368a78b42c545f26c2e6e91e2b8a91b27b60d0cb45fe1911d337%40%3Cnotifications.thrift.apache.org%3E

https://lists.apache.org/thread.html/re387dc6ca11cb0b0ce4de8e800bb91ca50fee054b80105f5cd34adcb%40%3Cdev.thrift.apache.org%3E

https://lists.apache.org/thread.html/rf359e5cc6a185494fc0cfe837fe82f7db2ef49242d35cbf3895aebce%40%3Cdev.thrift.apache.org%3E

https://security.gentoo.org/glsa/202107-32

Related Vulnerabilities

CVE-2021-22964 Vulnerability in npm package fastify-static

CVE-2018-20677 Vulnerability in npm package bootstrap

CVE-2020-5280 Vulnerability in maven package org.http4s:http4s-server

CVE-2009-2901 Vulnerability in maven package org.apache.tomcat:catalina

CVE-2023-22621 Vulnerability in npm package @strapi/plugin-users-permissions

Severity

High

Classification

CWE-835 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Tags

Patch Third Party Advisory Mailing List Vendor Advisory