oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

[CVE-2018-1332] Apache Storm user impersonation vulnerability

From: "P. Taylor Goetz" <ptgoetz () apache org>
Date: Tue, 5 Jun 2018 10:35:54 -0400
CVE-2018-1332: Apache Storm user impersonation vulnerability

Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:
Apache Storm 1.2.1
Apache Storm 1.1.2

Description:
Apache Storm version 1.0.6 and earlier, 1.2.1 and earlier, and version 1.1.2 and earlier expose a vulnerability that 
could allow a user to impersonate another user when communicating with some Storm Daemons.


Mitigation:
1.2.1 users should upgrade to version 1.2.2.
1.1.2 users should upgrade to version 1.1.3.
1.0.6 users should upgrade to version 1.1.3.

Apache Storm 1.2.2 artifacts are available for immediate download here:

http://www.us.apache.org/dist/storm/apache-storm-1.2.2/

Apache Storm 1.1.3 artifacts are available for immediate download here:

http://www.us.apache.org/dist/storm/apache-storm-1.1.3/

Credit:
This issue was discovered by Bobby Evans of the Apache Storm PMC

References:
http://storm.apache.org/2018/06/04/storm122-released.html
http://storm.apache.org/2018/06/04/storm113-released.html

P. Taylor Goetz
Previous By Date Next
Previous By Thread Next

Current thread: