中危 Apache Thrift up to 0.13.0 Short Message 拒绝服务漏洞

CVE编号

CVE-2020-13949

利用情况

暂无

补丁情况

官方补丁

披露时间

2021-02-13
漏洞描述
Apache Thrift是美国阿帕奇(Apache)基金会的一个用于跨平台开发的框架。

Apache Thrift 0.9.3 to 0.13.0 存在资源管理错误漏洞,该漏洞源于恶意RPC客户机可能会发送短消息,这将导致大量的内存分配,拒绝服务。
解决建议
目前厂商已发布升级补丁以修复漏洞,补丁获取链接:

https://lists.apache.org/thread.html/r43dc2b2e928e9d845b07ac075634cb759d91bb852421dc282f87a74a%40%3Cdev.thrift.apache.org%3E
参考链接
https://lists.apache.org/thread.html/r01b34416677f1ba869525e1b891ac66fa6f88c0...
https://lists.apache.org/thread.html/r02ba8db500d15a5949e9a7742815438002ba1cf...
https://lists.apache.org/thread.html/r02f7771863383ae993eb83cdfb70c3cb65a355c...
https://lists.apache.org/thread.html/r0372f0af2dad0b76fbd7a6cfdaad29d50384ad4...
https://lists.apache.org/thread.html/r08a7bd19470ef8950d58cc9d9e7b02bc69c43f5...
https://lists.apache.org/thread.html/r1084a911dff90b2733b442ee0f5929d19b16803...
https://lists.apache.org/thread.html/r117d5d2b08d505b69558a2a31b0a1cf8990cd03...
https://lists.apache.org/thread.html/r12090c81b67d21a814de6cf54428934a5e5613f...
https://lists.apache.org/thread.html/r13f40151513ff095a44a86556c65597a7e55c00...
https://lists.apache.org/thread.html/r143ca388b0c83fe659db14be76889d50b453b0e...
https://lists.apache.org/thread.html/r1456eab5f3768be69436d5b0a68b483eb316eb8...
https://lists.apache.org/thread.html/r1504886a550426d3c05772c47b1a6350c3235e5...
https://lists.apache.org/thread.html/r15eed5d21e16a5cce810c1e096ffcffc36cd08c...
https://lists.apache.org/thread.html/r179119bbfb5610499286a84c316f6789c5afbfa...
https://lists.apache.org/thread.html/r17cca685ad53bc8300ee7fcfe874cb784a22234...
https://lists.apache.org/thread.html/r18732bb1343894143d68db58fe4c8f56d9cd221...
https://lists.apache.org/thread.html/r191a9279e2863b68e5496ee4ecd8be0d4fe43b3...
https://lists.apache.org/thread.html/r196409cc4df929d540a2e66169104f2b3b258d8...
https://lists.apache.org/thread.html/r1d4a247329a8478073163567bbc8c8cb6b49c6b...
https://lists.apache.org/thread.html/r1dea91f0562e0a960b45b1c5635b2a47b258b77...
https://lists.apache.org/thread.html/r1fb2d26b81c64ce96c4fd42b9e6842ff315b02c...
https://lists.apache.org/thread.html/r20f6f8f8cf07986dc5304baed3bf4d8a1c4cf13...
https://lists.apache.org/thread.html/r278e96edc4bc13efb2cb1620a73e48f569162b8...
https://lists.apache.org/thread.html/r27b7d3d95ffa8498899ef1c9de553d469f8fe85...
https://lists.apache.org/thread.html/r286e9a13d3ab0550042997219101cb87871834b...
https://lists.apache.org/thread.html/r298a25228868ebc0943d56c8f3641212a0962d2...
https://lists.apache.org/thread.html/r2d180180f37c2ab5cebd711d080d01d8452efa8...
https://lists.apache.org/thread.html/r2ed66a3823990306b742b281af1834b9bc85f98...
https://lists.apache.org/thread.html/r2f6a547f226579f542eb08793631d1f2d47d7ae...
https://lists.apache.org/thread.html/r3550b61639688e0efbc253c6c3e6358851c1f05...
https://lists.apache.org/thread.html/r36581cc7047f007dd6aadbdd34e18545ec2c1eb...
https://lists.apache.org/thread.html/r3a1291a7ab8ee43db87cb025337148981087702...
https://lists.apache.org/thread.html/r3de0e0c26d4bd00dd28cab27fb44fba11d1c1d2...
https://lists.apache.org/thread.html/r3e31ec7e8c39db7553be4f4fd4d27cf27c41f1b...
https://lists.apache.org/thread.html/r3f3e1d562c528b4bafef2dde51f79dd444a4b68...
https://lists.apache.org/thread.html/r3f97dbbbb1b2a7324521208bb595392853714e1...
https://lists.apache.org/thread.html/r409e296c890753296c544a74d4de0d4a3ce7192...
https://lists.apache.org/thread.html/r421a9a76811c1aed7637b5fe5376ab14c09ccdd...
https://lists.apache.org/thread.html/r43dc2b2e928e9d845b07ac075634cb759d91bb8...
https://lists.apache.org/thread.html/r449288f6a941a2585262e0f4454fdefe169d5fa...
https://lists.apache.org/thread.html/r4d90b6d8de9697beb38814596d3a0d4994fa9ab...
https://lists.apache.org/thread.html/r4fa53eacca2ac38904f38dc226caebb3f2f668b...
https://lists.apache.org/thread.html/r515e01a30443cfa2dbb355c44c63149869afd68...
https://lists.apache.org/thread.html/r533a172534ae67f6f17c4d33a1b814d3d5ada9c...
https://lists.apache.org/thread.html/r587b4a5bcbc290269df0906bafba074f3fe4e50...
https://lists.apache.org/thread.html/r62aa6d07b23095d980f348d330ed766560f9a9e...
https://lists.apache.org/thread.html/r635133a74fa07ef3331cae49a9a088365922266...
https://lists.apache.org/thread.html/r668aed02e287c93403e0b8df16089011ee4a96a...
https://lists.apache.org/thread.html/r6990c849aeafe65366794bfd002febd47b7ffa8...
https://lists.apache.org/thread.html/r699c031e6921b0ad0f943848e7ba1d0e88c9536...
https://lists.apache.org/thread.html/r6ae3c68b0bfe430fb32f24236475276b6302bed...
https://lists.apache.org/thread.html/r6ae3c68b0bfe430fb32f24236475276b6302bed...
https://lists.apache.org/thread.html/r6ba4f0817f98bf7c1cb314301cb7a24ba11a0b3...
https://lists.apache.org/thread.html/r6c5b7324274fd361b038c5cc316e99344b7ae20...
https://lists.apache.org/thread.html/r72c3d1582d50b2ca7dd1ee97e81c847a5cf3458...
https://lists.apache.org/thread.html/r741364444c3b238ab4a161f67f0d3a8f68acc51...
https://lists.apache.org/thread.html/r74eb88b422421c65514c23cb9c2b2216efb9254...
https://lists.apache.org/thread.html/r7597683cc8b87a31ec864835225a543dad112d7...
https://lists.apache.org/thread.html/r7ae909438ff5a2ffed9211e6ab0bd926396fd0b...
https://lists.apache.org/thread.html/r812915ecfa541ad2ca65c68a97b2c014dc87141...
https://lists.apache.org/thread.html/r850522c56c05aa06391546bdb530bb8fc3437f2...
https://lists.apache.org/thread.html/r869331422580d35b4e65bd74cf3090298c4651b...
https://lists.apache.org/thread.html/r886b6d9a89b6fa0aafbf0a8f8f14351548d6c6f...
https://lists.apache.org/thread.html/r8897a41f50d4eb19b268bde99328e943ba586f7...
https://lists.apache.org/thread.html/r890b8ec5203d70a59a6b1289420d46938d9029e...
https://lists.apache.org/thread.html/r89fdd39965efb7c6d22bc21c286d203252cea47...
https://lists.apache.org/thread.html/r8dfbefcd606af6737b62461a45a9af9222040b6...
https://lists.apache.org/thread.html/r90b4473950e26607ed77f3d70f120166f6a36a3...
https://lists.apache.org/thread.html/r93f23f74315e009f4fb68ef7fc794dceee42cf8...
https://lists.apache.org/thread.html/r950ced188d62320fdb84d9e2c6ba89632819495...
https://lists.apache.org/thread.html/r995b945cc8f6ec976d8c52d42ba931a688b45fb...
https://lists.apache.org/thread.html/r995b945cc8f6ec976d8c52d42ba931a688b45fb...
https://lists.apache.org/thread.html/r9b51e7c253cb0989b4c03ed9f4e5f0478e42747...
https://lists.apache.org/thread.html/r9ec75f690dd60fec8621ba992290962705d5b7f...
https://lists.apache.org/thread.html/ra3f7f06a1759c8e2985ed24ae2f5483393c744c...
https://lists.apache.org/thread.html/ra7371efd8363c1cd0f5331aafd359a808cf7277...
https://lists.apache.org/thread.html/ra9f7c755790313e1adb95d29794043fb102029e...
https://lists.apache.org/thread.html/race178e9500ab8a5a6112667d27c48559150cad...
https://lists.apache.org/thread.html/rad635e16b300cf434280001ee6ecd2ed2c70987...
https://lists.apache.org/thread.html/rada9d2244a66ede0be29afc5d5f178a209f9988...
https://lists.apache.org/thread.html/rae95c2234b6644bfd666b2671a1b42a09f38514...
https://lists.apache.org/thread.html/raea1bb8cf2eb39c5e10543f547bdbbdbb563c2a...
https://lists.apache.org/thread.html/rb3574bc1036b577b265be510e6b208f0a5d5d84...
https://lists.apache.org/thread.html/rb44ec04e5a9b1f87fef97bb5f054010cbfaa3b8...
https://lists.apache.org/thread.html/rb51977d392b01434b0b5df5c19b9ad5b6178cfe...
https://lists.apache.org/thread.html/rb91c32194eb5006f0b0c8bcdbd512c13495a1b2...
https://lists.apache.org/thread.html/rbc5cad06a46d23253a3c819229efedecfc05f89...
https://lists.apache.org/thread.html/rbfbb81e7fb5d5009caf25798f02f42a7bd064a3...
https://lists.apache.org/thread.html/rc48ab5455bdece9a4afab53ca0f1e4f742d5baa...
https://lists.apache.org/thread.html/rc7a241e0af086b226ff9ccabc4a243d206f0f88...
https://lists.apache.org/thread.html/rc7a79b08822337c68705f16ee7ddcfd352313b8...
https://lists.apache.org/thread.html/rc896ce7761999b088f3adabcb99dde2102b6a66...
https://lists.apache.org/thread.html/rcace846f74ea9e2af2f7c30cef0796724aa7408...
https://lists.apache.org/thread.html/rcae4c66f67e701db44d742156dee1f3e5e4e07a...
https://lists.apache.org/thread.html/rcdf62ecd36e39e4ff9c61802eee4927ce9ecff1...
https://lists.apache.org/thread.html/rd0734d91f16d5b050f0bcff78b4719300042a34...
https://lists.apache.org/thread.html/rd370fdb419652c5219409b315a6349b07a7e479...
https://lists.apache.org/thread.html/rd49d53b146d94a7d3a135f6b505589655ffec24...
https://lists.apache.org/thread.html/rd78cdd87d84499a404202f015f55935db3658bd...
https://lists.apache.org/thread.html/rdc8e0f92d06decaee5db58de4ded16d80016a7d...
https://lists.apache.org/thread.html/rdcf00186c34d69826d9c6b1f010136c98b00a58...
https://lists.apache.org/thread.html/rf568168e7f83871969928c0379813da6d034485...
https://lists.apache.org/thread.html/rf603d25213cfff81d6727c259328846b366fd32...
https://lists.apache.org/thread.html/rf65df763f630163a3f620887efec082080555ce...
https://lists.apache.org/thread.html/rf741d08c7e0ab1542c81ea718467422bd01159e...
https://lists.apache.org/thread.html/rf75979ae0ffd526f3afa935a8f0ee13c82808ea...
https://lists.apache.org/thread.html/rfbb01bb85cdc2022f3b96bdc416dbfcb49a2855...
https://security.gentoo.org/glsa/202107-32
https://www.oracle.com//security-alerts/cpujul2021.html
https://www.oracle.com/security-alerts/cpujan2022.html
受影响软件情况
# 类型 厂商 产品 版本 影响面
1
运行在以下环境
应用 apache thrift * From
(including)
0.9.3 		Up to
(including)
0.13.0
运行在以下环境
系统 alpine_3.15 thrift * Up to
(excluding)
0.14.0-r0
运行在以下环境
系统 alpine_3.16 thrift * Up to
(excluding)
0.14.0-r0
运行在以下环境
系统 alpine_3.17 thrift * Up to
(excluding)
0.14.0-r0
运行在以下环境
系统 alpine_3.18 thrift * Up to
(excluding)
0.14.0-r0
运行在以下环境
系统 alpine_3.19 thrift * Up to
(excluding)
0.14.0-r0
运行在以下环境
系统 debian_12 thrift * Up to
(excluding)
0.16.0-3
阿里云评分
6.3
  • 攻击路径
    本地
  • 攻击复杂度
    容易
  • 权限要求
    无需权限
  • 影响范围
    全局影响
  • EXP成熟度
    未验证
  • 补丁情况
    官方补丁
  • 数据保密性
    无影响
  • 数据完整性
    无影响
  • 服务器危害
    DoS
  • 全网数量
    N/A
CWE-ID 漏洞类型
CWE-400 未加控制的资源消耗(资源穷尽)
阿里云安全产品覆盖情况