Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Veracode is reporting a security flaw in libthrift-0.13.0.jar a dependency of opentracing-spring-jaeger-web-starter 3.3.1 #137

Open
ghevge opened this issue Jul 5, 2021 · 6 comments
Open

Veracode is reporting a security flaw in libthrift-0.13.0.jar a dependency of opentracing-spring-jaeger-web-starter 3.3.1 #137

ghevge opened this issue Jul 5, 2021 · 6 comments

Comments

@ghevge
Copy link

ghevge commented Jul 5, 2021

Veracode is reporting a the following security flaw in libthrift-0.13.0.jar a dependency of opentracing-spring-jaeger-web-starter 3.3.1:

CVE-2020-13949
Denial Of Service (DoS): libthrift is vulnerable to denial of service (DoS). A malicious user can pass a short message to the system to allocate more memory than it has, causing the system to run out of memory.

Any chance to have this library bumped up ? There are newer version available. The problem was resolved in libthrift-0.14.0.jar +

I've tried to do this upgrade manually at my project .pom level, but it seems opentracing-spring-jaeger-web-starter 3.3.1 tries to call a method that is not available anymore in libthrift-0.14.0.jar.

Thanks
@nosheenzaza
Copy link

+1

@Harmelodic
Copy link

This has been bumped in version 3.3.3 but has not been released to MVN Central - seemingly because of a CICD failure(?)

@lathspell
Copy link

Any progress? opentracing-spring-jaeger-cloud-starter:3.3.1 is still the latest version on Maven Central.

@Lenasenap
Copy link

Also interested in the progression of this issue.
Does anyone know of a smart workaround to implement libthrift 0.14.0+ while still using opentracing-spring-jaeger-web-starter 3.3.1?

@ajurge
Copy link

ajurge commented Jan 4, 2022

We also have the same issue with libthrift-0.13.0.jar, org.owasp:dependency-check reports CVE-2020-13949 .
I have added the following two dependencies manually and that seems to work:

   implementation("org.apache.thrift:libthrift:0.15.0")
   implementation("io.jaegertracing:jaeger-thrift:1.7.0")

@leslion
Copy link

leslion commented Jun 21, 2022

I also had the same issue, reported on Nexus IQ and managed to get version version 3.3.1 working by including an updated jaeger client my project pom.xml:

        <dependency>
            <groupId>io.opentracing.contrib</groupId>
            <artifactId>opentracing-spring-jaeger-web-starter</artifactId>
            <version>3.3.1</version>
        </dependency>
        <dependency>
            <groupId>io.jaegertracing</groupId>
            <artifactId>jaeger-client</artifactId>
            <version>1.8.0</version>
        </dependency>

Additional Notes from #133 :
As mentioned by @Harmelodic, the recommendation is to move to OpenTelemetry. I just wanted to share for those who still have a legacy jaeger backend without support for OpenTelemetry client or for whatever reason need to use the jaeger client for now.
This overrides the problematic jaeger-client included in 3.3.1. Kindly consider that this is a temporary workaround.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@lathspell @ajurge @nosheenzaza @Harmelodic @leslion @ghevge @Lenasenap