CVE-2021-40865

Summary

An Unsafe Deserialization vulnerability exists in the worker services of the Apache Storm supervisor server allowing pre-auth Remote Code Execution (RCE). Apache Storm 2.2.x users should upgrade to version 2.2.1 or 2.3.0. Apache Storm 2.1.x users should upgrade to version 2.1.1. Apache Storm 1.x users should upgrade to version 1.2.4

Affected Software

VendorProductVersion RangeStatus
Apache Software FoundationApache Stormv1.0.0 < Apache Storm *affected
Apache Software FoundationApache StormApache Storm < v1.2.4affected

Weaknesses

  • CWE-502: CWE-502 Deserialization of Untrusted Data

Workarounds

Apache Storm 2.2.x users should upgrade to version 2.2.1 or 2.3.0 Apache Storm 2.1.x users should upgrade to version 2.1.1 Apache Storm 1.x users should upgrade to version 1.2.4

ADP Enrichment

CVE Program Container

Additional References

References