[CVE-2017-9799] Apache Storm Possible Code Execution As A Different User

["P. Taylor Goetz" <ptgoetz () apache org>]

Severity: High

Vendor: The Apache Software Foundation

Versions Affected:
Apache Storm 1.0.0, 1.0.1, 1.0.2, 1.0.3
Apache Storm 1.1.0

Description:
It was found that under some situations and configurations of storm it is theoretically possible for the owner of a 
topology to trick the supervisor to launch a worker as a different, non-root, user. In the worst case this could lead 
to secure credentials of the other user being compromised.  This vulnerability only applies to Apache Storm 
installations with security components enabled.

Mitigation:
Users of the affected versions should apply one of the following mitigations:

- Upgrade to Apache Storm 1.0.4 or later
- Upgrade to Apache Storm 1.1.1 or later

Apache Storm 1.1.1 and 1.0.4 can be downloaded here:

http://storm.apache.org/downloads.html

Credit:
This issue was identified by the Apche Storm PMC

References:
https://github.com/apache/storm/blob/v1.1.1/SECURITY.md <https://github.com/apache/storm/blob/v1.1.1/SECURITY.md>
https://github.com/apache/storm/blob/v1.0.4/SECURITY.md <https://github.com/apache/storm/blob/v1.0.4/SECURITY.md>