[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE-2021-40865: Apache Storm: Unsafe Pre-Authentication Deserialization In Workers
From: Derek Dagit <dagit () apache ! org>
Date: 2021-10-21 3:03:02
Message-ID: 22af59a3-7ad6-cb3d-4622-db73c8f48539 () apache ! org
[Download RAW message or body]
Severity: high
Description:
An Unsafe Deserialization vulnerability exists in the worker services of =
the Apache Storm supervisor server allowing pre-auth Remote Code Execution =
(RCE). Apache Storm 2.2.x users should upgrade to version 2.2.1 or 2.3.0. =
Apache Storm 2.1.x users should upgrade to version 2.1.1. Apache Storm 1.x =
users should upgrade to version 1.2.4
Mitigation:
Apache Storm 2.2.x users should upgrade to version 2.2.1 or 2.3.0
Apache Storm 2.1.x users should upgrade to version 2.1.1
Apache Storm 1.x users should upgrade to version 1.2.4
Credit:
Apache Storm would like to thank @pwntester Alvaro Mu=C3=B1oz of the GitHub=
Security Lab team for reporting this issue.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic