search

opentracing-contrib / java-spring-jaeger

Apache License 2.0
256 stars 95 forks source link

CVE-2020-13949 in libthrift 0.13.0 dependency #121

Closed lathspell closed 3 years ago

lathspell commented 3 years ago

The OWASP dependency checker reports:

libthrift-0.13.0.jar (pkg:maven/org.apache.thrift/libthrift@0.13.0, cpe:2.3:a:apache:thrift:0.13.0:*:*:*:*:*:*:*) : CVE-2020-13949

Link: https://nvd.nist.gov/vuln/detail/CVE-2020-13949

The dependency tree looks like:

+--- io.opentracing.contrib:opentracing-spring-jaeger-cloud-starter:3.3.1
|    +--- io.opentracing.contrib:opentracing-spring-jaeger-starter:3.3.1
|    |    +--- io.opentracing:opentracing-api:0.33.0
|    |    \--- io.jaegertracing:jaeger-client:1.3.2
|    |         +--- io.jaegertracing:jaeger-thrift:1.3.2
|    |         |    +--- io.jaegertracing:jaeger-core:1.3.2
|    |         |    |    +--- io.opentracing:opentracing-api:0.33.0
|    |         |    |    +--- io.opentracing:opentracing-util:0.33.0 (*)
|    |         |    |    +--- com.google.code.gson:gson:2.8.6
|    |         |    |    \--- org.slf4j:slf4j-api:1.7.28 -> 1.7.30
|    |         |    +--- org.slf4j:slf4j-api:1.7.28 -> 1.7.30
|    |         |    +--- org.apache.thrift:libthrift:0.13.0                              <---- libthrift
|    |         |    |    +--- org.slf4j:slf4j-api:1.7.25 -> 1.7.30
|    |         |    |    \--- javax.annotation:javax.annotation-api:1.3.2
|    |         |    \--- com.squareup.okhttp3:okhttp:4.2.2 -> 3.14.9
|    |         |         \--- com.squareup.okio:okio:1.17.2
...
geoand commented 3 years ago

There doesn't appear to be a newer version of org.apache.thrift:libthrift on Maven Central

lathspell commented 3 years ago

On https://thrift.apache.org/download a maven artefact with version 0.14.0 is mentioned. It's not yet on https://repo.maven.apache.org/maven2/org/apache/thrift/libthrift/ though. I'll asked on https://issues.apache.org/jira/browse/THRIFT-5359

lathspell commented 3 years ago

The Thrift maintainers managed to release 0.14.0, it's already on repository.apache.org and should be available on Maven Central in a couple of hours.

geoand commented 3 years ago

I have opened https://github.com/jaegertracing/jaeger-client-java/pull/768

drwille commented 3 years ago

This looks like it has been resolved in io.jaegertracing:jaeger-client:jar:1.6.0.