<!--X-Body-Begin-->
<!--X-User-Header-->
oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->
By Date
By Thread
</form>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
CVE-2021-40865: Apache Storm: Unsafe Pre-Authentication Deserialization In Workers
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
From: Derek Dagit <dagit () apache org>
Date: Thu, 21 Oct 2021 03:03:02 +0000
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
Severity: high
Description:
An Unsafe Deserialization vulnerability exists in the worker services of the Apache Storm supervisor server allowing
pre-auth Remote Code Execution (RCE). Apache Storm 2.2.x users should upgrade to version 2.2.1 or 2.3.0. Apache Storm
2.1.x users should upgrade to version 2.1.1. Apache Storm 1.x users should upgrade to version 1.2.4
Mitigation:
Apache Storm 2.2.x users should upgrade to version 2.2.1 or 2.3.0
Apache Storm 2.1.x users should upgrade to version 2.1.1
Apache Storm 1.x users should upgrade to version 1.2.4
Credit:
Apache Storm would like to thank @pwntester Alvaro Muñoz of the GitHub Security Lab team for reporting this issue.
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
By Date
By Thread
Current thread:
CVE-2021-40865: Apache Storm: Unsafe Pre-Authentication Deserialization In Workers Derek Dagit (Oct 21)
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->