Title
#general
t

Tao Jiang

05/12/2021, 9:52 PM
Hi, Here are some vulnerabilities from Apache Thrift 0.14.1. Looks like they are all from Thrift Server side. Thanks.
Mike Myers

Mike Myers

05/13/2021, 6:26 PM
It looks like Apache Thrift is lagging the fixes available in Facebook Thrift. I am not sure they've patched any of these.
t

Tao Jiang

05/13/2021, 6:31 PM
Thanks @Mike Myers, Is there a way for accessing the updated version of Facebook Thrift? Apache Thrift repo doesn’t even allow to file an issue. Thanks!
Mike Myers

Mike Myers

05/13/2021, 6:31 PM
Their issues are tracked at their Apache page, but I couldn't find discussions of any of these
6:32 PM
Is this a report from Black Duck software?
6:32 PM
https://github.com/osquery/osquery/issues/7104 I opened an issue here for us to evaluate
t

Tao Jiang

05/13/2021, 6:33 PM
yes, we have regular scanning for security issues internally using black duck.
zwass

zwass

05/13/2021, 6:34 PM
FWIW osquery's Thrift server listens on a socket (POSIX) or named pipe (Windows) that is permissioned to allow only root users to access it. So I'm not sure vulnerabilities in the server would be worth exploiting (since the user would already have root).
Mike Myers

Mike Myers

05/13/2021, 6:59 PM
That's true (now — until recently on Windows osquery didn't lock down the Thrift pipe but now it does)