Veracode is reporting a security flaw in libthrift-0.13.0.jar a dependency of opentracing-spring-jaeger-web-starter 3.3.1

opentracing-contrib / java-spring-jaeger

Apache License 2.0

256 stars 95 forks source link

Veracode is reporting a security flaw in libthrift-0.13.0.jar a dependency of opentracing-spring-jaeger-web-starter 3.3.1 #137

Open ghevge opened 3 years ago

ghevge commented 3 years ago

Veracode is reporting a the following security flaw in libthrift-0.13.0.jar a dependency of opentracing-spring-jaeger-web-starter 3.3.1:

CVE-2020-13949
Denial Of Service (DoS): libthrift is vulnerable to denial of service (DoS). A malicious user can pass a short message to the system to allocate more memory than it has, causing the system to run out of memory.

Any chance to have this library bumped up ? There are newer version available. The problem was resolved in libthrift-0.14.0.jar +

I've tried to do this upgrade manually at my project .pom level, but it seems opentracing-spring-jaeger-web-starter 3.3.1 tries to call a method that is not available anymore in libthrift-0.14.0.jar.

Thanks

nosheenzaza commented 3 years ago

Harmelodic commented 3 years ago

This has been bumped in version 3.3.3 but has not been released to MVN Central - seemingly because of a CICD failure(?)

lathspell commented 2 years ago

Any progress? opentracing-spring-jaeger-cloud-starter:3.3.1 is still the latest version on Maven Central.

Lenasenap commented 2 years ago

Also interested in the progression of this issue. Does anyone know of a smart workaround to implement libthrift 0.14.0+ while still using opentracing-spring-jaeger-web-starter 3.3.1?

ajurge commented 2 years ago

We also have the same issue with libthrift-0.13.0.jar, org.owasp:dependency-check reports CVE-2020-13949 . I have added the following two dependencies manually and that seems to work:

   implementation("org.apache.thrift:libthrift:0.15.0")
   implementation("io.jaegertracing:jaeger-thrift:1.7.0")

leslion commented 2 years ago

I also had the same issue, reported on Nexus IQ and managed to get version version 3.3.1 working by including an updated jaeger client my project pom.xml:

        <dependency>
            <groupId>io.opentracing.contrib</groupId>
            <artifactId>opentracing-spring-jaeger-web-starter</artifactId>
            <version>3.3.1</version>
        </dependency>
        <dependency>
            <groupId>io.jaegertracing</groupId>
            <artifactId>jaeger-client</artifactId>
            <version>1.8.0</version>
        </dependency>

Additional Notes from #133 : As mentioned by @Harmelodic, the recommendation is to move to OpenTelemetry. I just wanted to share for those who still have a legacy jaeger backend without support for OpenTelemetry client or for whatever reason need to use the jaeger client for now. This overrides the problematic jaeger-client included in 3.3.1. Kindly consider that this is a temporary workaround.