'[oss-security] [CVE-2018-11779] Apache Storm UI Java deserialization vulnerability'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] [CVE-2018-11779] Apache Storm UI Java deserialization vulnerability
From:       Stig_Rohde_Døssing <srdo () apache ! org>
Date:       2019-07-24 7:27:15
Message-ID: CAG09ER1O_+YYQzj9dmTJ225JtiB-qLeMJe=ztPO1bPF0ukiLcA () mail ! gmail ! com
[Download RAW message or body]

[CVEID]:CVE-2018-11779[PRODUCT]:Apache Storm[VERSION]:Apache Storm
1.1.0 to 1.2.2[PROBLEMTYPE]:CWE-502: Deserialization of Untrusted
Data[DESCRIPTION]:In Apache Storm versions 1.1.0 to 1.2.2,
              when the user is using the storm-kafka-client or
storm-kafka modules,
              it is possible to cause the Storm UI daemon to
deserialize user provided bytes into a Java class.

Mitigation: Upgrade to Apache Storm 1.2.3 or later.

Credit: Bobby Evans for discovery and fix

[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic