[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE-2021-38294: Apache Storm: Shell Command Injection Vulnerability in Nimbus Thrift
From: Derek Dagit <dagit () apache ! org>
Date: 2021-10-21 3:02:08
Message-ID: c61a63b1-3370-9ced-d672-d2c6a6f91c94 () apache ! org
[Download RAW message or body]
Severity: high
Description:
A Command Injection vulnerability exists in the getTopologyHistory service of the Apache Storm \
2.x prior to 2.2.1 and Apache Storm 1.x prior to 1.2.4. A specially crafted thrift request to \
the Nimbus server allows Remote Code Execution (RCE) prior to authentication.
Mitigation:
Apache Storm 2.2.x users should upgrade to version 2.2.1 or 2.3.0
Apache Storm 2.1.x users should upgrade to version 2.1.1
Apache Storm 1.x users should upgrade to version 1.2.4
Credit:
Apache Storm would like to thank @pwntester Alvaro Muñoz of the GitHub Security Lab team for \
reporting this issue.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic