[
https://issues.apache.org/jira/browse/CASSANDRA-16739?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Daniel Gomez updated CASSANDRA-16739:
-------------------------------------
Fix Version/s: 3.11.x
> Remediate Cassandra 3.11.10 JAR dependency vulnerability -
> org.apache.thrift_libthrift
> --------------------------------------------------------------------------------------
>
> Key: CASSANDRA-16739
> URL: https://issues.apache.org/jira/browse/CASSANDRA-16739
> Project: Cassandra
> Issue Type: Improvement
> Components: Dependencies
> Reporter: Daniel Gomez
> Priority: Normal
> Fix For: 3.11.x
>
>
> A JAR dependency is flagged in Cassandra 3.11.10 as having vulnerabilities
> that have been fixed in newer releases. The following is the Cassandra
> 3.11.10 source tree for their JAR dependencies:
> [https://github.com/apache/cassandra/tree/181a4969290f1c756089b2993a638fe403bc1314/lib]
> .
> JAR *org.apache.thrift_libthrift* version *0.9.2* has the following
> vulnerability and is fixed in version *0.9.3-1*. Recommendation is to upgrade
> to version *0.9.3-1* or greater.
>
> ||id||cvss||desc||link||packageName||packageVersion||severity||status||vecStr||
> |CVE-2016-5397|8.8|The Apache Thrift Go client library exposed the potential
> during code generation for command injection due to using an external
> formatting tool. Affected Apache Thrift 0.9.3 and older, Fixed in Apache
> Thrift
> 0.10.0.|https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5397|org.apache.thrift_libthrift|0.9.2|high|.|CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H|
> |CVE-2018-1320|7.5|Apache Thrift Java client library versions 0.5.0 through
> 0.11.0 can bypass SASL negotiation isComplete validation in the
> org.apache.thrift.transport.TSaslTransport class. An assert used to determine
> if the SASL handshake had successfully completed could be disabled in
> production settings making the validation
> incomplete.|https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1320|org.apache.thrift_libthrift|0.9.2|high|.|CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N|
> |CVE-2019-0205|7.5|In Apache Thrift all versions up to and including 0.12.0,
> a server or client may run into an endless loop when feed with specific input
> data. Because the issue had already been partially fixed in version 0.11.0,
> depending on the installed version it affects only certain language
> bindings.|https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-0205|org.apache.thrift_libthrift|0.9.2|high|.|CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H|
>
> A possible fix strategy is to simply update the JAR to their newest version.
> * See
> [https://mvnrepository.com/artifact/org.apache.thrift/libthrift/0.9.3-1]
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
