CVE-2019-11939

Name of the Vulnerable Software and Affected Versions Facebook Thrift versions prior to 2020.03.16.00

Description The issue arises when Golang Facebook Thrift servers fail to error upon receiving messages declaring containers of sizes larger than the payload. This allows malicious clients to send short messages, resulting in large memory allocations and potentially leading to denial of service.

Recommendations For versions prior to 2020.03.16.00, update to version 2020.03.16.00 or later to resolve the issue. As a temporary workaround, consider implementing checks on the declared size of messages to prevent large memory allocations. Restrict access to the Thrift server to minimize the risk of exploitation. Avoid processing messages with declared sizes larger than the actual payload size until the issue is resolved.