Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
t
Tao Jiang
05/12/2021, 9:52 PMHi, Here are some vulnerabilities from Apache Thrift 0.14.1. Looks like they are all from Thrift Server side. Thanks.
m
Mike Myers
05/13/2021, 6:26 PMIt looks like Apache Thrift is lagging the fixes available in Facebook Thrift. I am not sure they've patched any of these.
t
Tao Jiang
05/13/2021, 6:31 PMThanks @Mike Myers, Is there a way for accessing the updated version of Facebook Thrift? Apache Thrift repo doesn’t even allow to file an issue. Thanks!
m
Mike Myers
05/13/2021, 6:31 PMTheir issues are tracked at their Apache page, but I couldn't find discussions of any of these
Is this a report from Black Duck software?
https://github.com/osquery/osquery/issues/7104 I opened an issue here for us to evaluate
t
Tao Jiang
05/13/2021, 6:33 PMyes, we have regular scanning for security issues internally using black duck.
z
zwass
05/13/2021, 6:34 PMFWIW osquery's Thrift server listens on a socket (POSIX) or named pipe (Windows) that is permissioned to allow only root users to access it. So I'm not sure vulnerabilities in the server would be worth exploiting (since the user would already have root).
m
Mike Myers
05/13/2021, 6:59 PMThat's true (now — until recently on Windows osquery didn't lock down the Thrift pipe but now it does)