You are viewing a plain text version of this content. The canonical link for it is here.
Posted to announce@apache.org by Derek Dagit <da...@apache.org> on 2021/10/21 03:03:02 UTC
CVE-2021-40865: Apache Storm: Unsafe Pre-Authentication
Deserialization In Workers
Severity: high
Description:
An Unsafe Deserialization vulnerability exists in the worker services of the Apache Storm supervisor server allowing pre-auth Remote Code Execution (RCE). Apache Storm 2.2.x users should upgrade to version 2.2.1 or 2.3.0. Apache Storm 2.1.x users should upgrade to version 2.1.1. Apache Storm 1.x users should upgrade to version 1.2.4
Mitigation:
Apache Storm 2.2.x users should upgrade to version 2.2.1 or 2.3.0
Apache Storm 2.1.x users should upgrade to version 2.1.1
Apache Storm 1.x users should upgrade to version 1.2.4
Credit:
Apache Storm would like to thank @pwntester Alvaro Muñoz of the GitHub Security Lab team for reporting this issue.