The Apache Thrift Go client library exposed the potential during code generation for command injection due to using an external formatting tool. Affected Apache Thrift 0.9.3 and older, Fixed in Apache Thrift 0.10.0.
The MITRE CVE dictionary describes this issue as:
Find out more about CVE-2016-5397 from the MITRE CVE dictionary dictionary and NIST NVD.
libthrift is a library used by OpenDaylight which is shipped with Red Hat OpenStack. Whilst the version of the library used contains the vulnerable code it is not used by OpenDaylight and hence not exposed.
JBoss fuse 6.3 ships libthrift via insight-activemq fabric-8 profile, however the vulnerable code is not used by fabric-8 so fuse 6.3 is not affected.
| CVSS3 Base Score | 7.8 |
|---|---|
| CVSS3 Base Metrics | CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| Attack Vector | Local |
| Attack Complexity | Low |
| Privileges Required | Low |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity Impact | High |
| Availability Impact | High |
| Platform | Errata | Release Date |
|---|---|---|
| Red Hat JBoss Fuse 7 | RHSA-2018:2669 | 2018-09-11 |
| Platform | Package | State |
|---|---|---|
| Red Hat OpenStack Platform 13.0 (Queens) | libthrift | Will not fix |
| Red Hat OpenStack Platform 12.0 | libthrift | Will not fix |
| Red Hat OpenStack Platform 11.0 (Ocata) | libthrift | Will not fix |
| Red Hat OpenStack Platform 10 | libthrift | Will not fix |
| Red Hat OpenShift Enterprise 3 | thrift | Not affected |
| Red Hat JBoss Operations Network 3 | libthrift | Not affected |
| Red Hat JBoss Fuse Service Works 6 | thrift | Under investigation |
| Red Hat JBoss Fuse 6 | karaf | Not affected |
| Red Hat JBoss Data Virtualization 6 | libthrift | Under investigation |
Vulmon