====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN098
_____________________________________________________________________

DATE                : 12/02/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S):  Systems running Apache Thrift versions prior to
                                          0.14.0.

=====================================================================
http://mail-archives.apache.org/mod_mbox/thrift-user/202102.mbox/%3c5AC665375A88489691186D327AC3D0FF@HAGGIS%3e
_____________________________________________________________________


CVE-2020-13949: potential DoS when processing untrusted Thrift payloads

Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:
Apache Thrift up to and including 0.13.0

Description:
Applications using Thrift would not error upon receiving messages
declaring containers of sizes larger than the
payload. As a result, malicious RPC clients could send short messages
which would result in a large memory allocation,
potentially leading to denial of service.

Mitigation:
Upgrade to version 0.14.0

Credit:
This issue was reported by Hasnain Lakhani of Facebook.

On behalf of the Apache Thrift PMC,
Jens Geyer

=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================