search

twitter / finatra

Fast, testable, Scala services built on TwitterServer and Finagle
https://twitter.github.io/finatra/
Apache License 2.0
2.27k stars 405 forks source link

Fixes libThrift high CVEs #560

Open albertpastrana opened 3 years ago

albertpastrana commented 3 years ago

Problem

Current version of libThrift 0.10.0 has some CVEs listed below:

+-----------------------------+------------------+----------+-------------------+---------------+--------------------------------------------+
|           LIBRARY           | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                   TITLE                    |
+-----------------------------+------------------+----------+-------------------+---------------+--------------------------------------------+
| org.apache.thrift:libthrift | CVE-2018-1320    | HIGH     | 0.10.0            | 0.12.0        | thrift: SASL negotiation                   |
|                             |                  |          |                   |               | isComplete validation bypass in the        |
|                             |                  |          |                   |               | org.apache.thrift.transport.TSaslTransport |
|                             |                  |          |                   |               | class -->avd.aquasec.com/nvd/cve-2018-1320 |
+                             +------------------+          +                   +---------------+--------------------------------------------+
|                             | CVE-2019-0205    |          |                   | 0.13.0        | thrift: Endless loop when                  |
|                             |                  |          |                   |               | feed with specific input data              |
|                             |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-0205       |
+                             +------------------+          +                   +               +--------------------------------------------+
|                             | CVE-2019-0210    |          |                   |               | thrift: Out-of-bounds read                 |
|                             |                  |          |                   |               | related to TJSONProtocol                   |
|                             |                  |          |                   |               | or TSimpleJSONProtocol                     |
|                             |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-0210       |
+                             +------------------+          +                   +---------------+--------------------------------------------+
|                             | CVE-2020-13949   |          |                   | 0.14.0        | libthrift: potential DoS when              |
|                             |                  |          |                   |               | processing untrusted payloads              |
|                             |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-13949      |
+-----------------------------+------------------+----------+-------------------+---------------+--------------------------------------------+

Solution

I've updated the dependency to 0.14.0, this would fix them.

PS: my first contribution in finatra, let me know if I should have done anything differently.

CLAassistant commented 3 years ago

CLA assistant check
All committers have signed the CLA.

albertpastrana commented 3 years ago

I've seen that the versions 0.14.0 and 0.14.1 contain an old version of the tomcat-embed-core package that also have several CVEs too. Which makes this change a bit useless in terms of making it clear of CVEs.

There is a change to move this dependency into test that has been merged but not published yet: https://github.com/apache/thrift/pull/2340

I guess we'd need to wait for 0.14.2 or 0.15.0 or try to use the exclude feature in sbt too.

joybestourous commented 3 years ago

Hey Albert, Thanks for contributing! Since the Finatra library is developed in a monorepo, upgrades like this require moving the entire monorepo. This takes a long time, so we're unfortunately unable to merge this anytime soon.

perchristianhenden commented 9 months ago

Also present in latest tag, https://github.com/twitter/finatra/blob/finatra-23.11.0/build.sbt#L97