<!--X-Body-Begin-->
<!--X-User-Header-->
oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->
By Date
By Thread
</form>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
CVE-2020-13949: Apache Thrift: potential DoS when processing untrusted payloads
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
From: "Jens Geyer" <jensg () apache org>
Date: Thu, 11 Feb 2021 23:43:29 +0100
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
CVE-2020-13949: potential DoS when processing untrusted Thrift payloads
Severity: Important
Vendor:
The Apache Software Foundation
Versions Affected:
Apache Thrift up to and including 0.13.0
Description:
Applications using Thrift would not error upon receiving messages declaring containers of sizes larger than the
payload. As a result, malicious RPC clients could send short messages which would result in a large memory allocation,
potentially leading to denial of service.
Mitigation:
Upgrade to version 0.14.0
Credit:
This issue was reported by Hasnain Lakhani of Facebook.
On behalf of the Apache Thrift PMC,
Jens Geyer
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
By Date
By Thread
Current thread:
CVE-2020-13949: Apache Thrift: potential DoS when processing untrusted payloads Jens Geyer (Feb 11)
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->