CVE-2020-13949: Apache Thrift: potential DoS when processing untrusted payloads

["Jens Geyer" <jensg () apache org>]

CVE-2020-13949: potential DoS when processing untrusted Thrift payloads

Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:
Apache Thrift up to and including 0.13.0

Description:
Applications using Thrift would not error upon receiving messages declaring containers of sizes larger than the 
payload. As a result, malicious RPC clients could send short messages which would result in a large memory allocation, 
potentially leading to denial of service.

Mitigation:
Upgrade to version 0.14.0

Credit:
This issue was reported by Hasnain Lakhani of Facebook.

On behalf of the Apache Thrift PMC,
Jens Geyer