deniszh
commented
6 months ago Ho @pickleMan2
Could you please elaborate what should be upgraded exactly? I don't remember that we're using thrift here at all
Open pickleMan2 opened 6 months ago
deniszh
commented
6 months ago Ho @pickleMan2
Could you please elaborate what should be upgraded exactly? I don't remember that we're using thrift here at all
grutz
commented
6 months ago Looks like it's an indirect import from the module go.opentelemetry.io/otel:
https://github.com/go-graphite/go-carbon/blob/master/go.sum#L55-L56
Code vuln scanners generally find these deep things and flag them even when you're not using it.
deniszh
commented
6 months ago Well, that's not easy to upgrade then. Otel package is severely outdated and not upgradable and remove tracing is not easy either.
grutz
commented
6 months ago Based on the first line of the Apache issue tied to the CVE, using this version of the library isn't the problem as it's on the server side not handling short messages.
In Apache Thrift 0.9.3 to 0.13.0, malicious RPC clients could send short messages which would result in a large memory allocation, potentially leading to denial of service.
I'm not the original reporter but have to deal with this quite often. I would note this as "not upgradeable per vendor" and "no impact or risk with use of the go-carbon service" in whatever system reported it and ignore it for 12 months.
Describe the bug The Thrift Package appears to be affected by CVE-2020-13949, would the team be able to upgrade this package on this project so that it is no longer picked up on our scan reports? https://nvd.nist.gov/vuln/detail/CVE-2020-13949
Go-carbon Configuration: https://github.com/go-graphite/go-carbon/blob/master/go.sum