oss-sec mailing list archives

CVE-2021-40865: Apache Storm: Unsafe Pre-Authentication Deserialization In Workers

From: Derek Dagit <dagit () apache org>
Date: Thu, 21 Oct 2021 03:03:02 +0000

Severity: high

Description:

An Unsafe Deserialization vulnerability exists in the worker services of the Apache Storm supervisor server allowing 
pre-auth Remote Code Execution (RCE).  Apache Storm 2.2.x users should upgrade to version 2.2.1 or 2.3.0. Apache Storm 
2.1.x users should upgrade to version 2.1.1. Apache Storm 1.x users should upgrade to version 1.2.4

Mitigation:

Apache Storm 2.2.x users should upgrade to version 2.2.1 or 2.3.0
Apache Storm 2.1.x users should upgrade to version 2.1.1
Apache Storm 1.x users should upgrade to version 1.2.4

Credit:

Apache Storm would like to thank @pwntester Alvaro Muñoz of the GitHub Security Lab team for reporting this issue.

Current thread:

CVE-2021-40865: Apache Storm: Unsafe Pre-Authentication Deserialization In Workers Derek Dagit (Oct 21)