Description
An Unsafe Deserialization vulnerability exists in the worker services of the Apache Storm supervisor server allowing pre-auth Remote Code Execution (RCE). Apache Storm 2.2.x users should upgrade to version 2.2.1 or 2.3.0. Apache Storm 2.1.x users should upgrade to version 2.1.1. Apache Storm 1.x users should upgrade to version 1.2.4
Remediation
References
https://lists.apache.org/thread.html/r8d45e74299897b6734dd0f788c46a631009ce2eeb731523386f7a253%40%3Cuser.storm.apache.org%3E
https://seclists.org/oss-sec/2021/q4/45
Related Vulnerabilities
CVE-2023-50775 Vulnerability in maven package org.jenkins-ci.plugins:ec2-deployment-dashboard
CVE-2020-11969 Vulnerability in maven package org.apache.tomee:openejb-core
CVE-2021-28657 Vulnerability in maven package org.apache.tika:tika-parsers
CVE-2021-45851 Vulnerability in npm package @frangoteam/fuxa
CVE-2023-27296 Vulnerability in maven package org.apache.inlong:manager-pojo