Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

CVE-2021-38294: Apache Storm: Shell Command Injection Vulnerability in Nimbus Thrift Server

Related Vulnerabilities: CVE-2021-38294  
Source 
                Severity: high

Description:

A Command Injection vulnerability exists in the getTopologyHistory service of the Apache Storm 2.x prior to 2.2.1 and 
Apache Storm 1.x prior to 1.2.4. A specially crafted thrift request to the Nimbus server allows Remote Code Execution 
(RCE) prior to authentication. 

Mitigation:

Apache Storm 2.2.x users should upgrade to version 2.2.1 or 2.3.0
Apache Storm 2.1.x users should upgrade to version 2.1.1
Apache Storm 1.x users should upgrade to version 1.2.4

Credit:

Apache Storm would like to thank @pwntester Alvaro Muñoz of the GitHub Security Lab team for reporting this issue.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started