[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2021-40865: Apache Storm: Unsafe Pre-Authentication Deserialization In Workers
From:       Derek Dagit <dagit () apache ! org>
Date:       2021-10-21 3:03:02
Message-ID: 22af59a3-7ad6-cb3d-4622-db73c8f48539 () apache ! org
[Download RAW message or body]

Severity: high

Description:

An Unsafe Deserialization vulnerability exists in the worker services of =
the Apache Storm supervisor server allowing pre-auth Remote Code Execution =
(RCE).  Apache Storm 2.2.x users should upgrade to version 2.2.1 or 2.3.0. =
Apache Storm 2.1.x users should upgrade to version 2.1.1. Apache Storm 1.x =
users should upgrade to version 1.2.4

Mitigation:

Apache Storm 2.2.x users should upgrade to version 2.2.1 or 2.3.0
Apache Storm 2.1.x users should upgrade to version 2.1.1
Apache Storm 1.x users should upgrade to version 1.2.4

Credit:

Apache Storm would like to thank @pwntester Alvaro Mu=C3=B1oz of the GitHub=
 Security Lab team for reporting this issue.

[prev in list] [next in list] [prev in thread] [next in thread]