Description
An Unsafe Deserialization vulnerability exists in the worker services of the Apache Storm supervisor server allowing pre-auth Remote Code Execution (RCE). Apache Storm 2.2.x users should upgrade to version 2.2.1 or 2.3.0. Apache Storm 2.1.x users should upgrade to version 2.1.1. Apache Storm 1.x users should upgrade to version 1.2.4
Remediation
References
https://lists.apache.org/thread.html/r8d45e74299897b6734dd0f788c46a631009ce2eeb731523386f7a253%40%3Cuser.storm.apache.org%3E
https://seclists.org/oss-sec/2021/q4/45
Related Vulnerabilities
CVE-2019-12384 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind
CVE-2023-49673 Vulnerability in maven package io.jenkins.plugins:neuvector-vulnerability-scanner
CVE-2021-25941 Vulnerability in npm package deep-override
CVE-2023-1108 Vulnerability in maven package io.undertow:undertow-core
CVE-2022-34113 Vulnerability in maven package io.dataease:dataease-plugin-common