Description
An Unsafe Deserialization vulnerability exists in the worker services of the Apache Storm supervisor server allowing pre-auth Remote Code Execution (RCE). Apache Storm 2.2.x users should upgrade to version 2.2.1 or 2.3.0. Apache Storm 2.1.x users should upgrade to version 2.1.1. Apache Storm 1.x users should upgrade to version 1.2.4
Remediation
References
https://lists.apache.org/thread.html/r8d45e74299897b6734dd0f788c46a631009ce2eeb731523386f7a253%40%3Cuser.storm.apache.org%3E
https://seclists.org/oss-sec/2021/q4/45
Related Vulnerabilities
CVE-2022-31175 Vulnerability in npm package @ckeditor/ckeditor5-html-embed
CVE-2020-11972 Vulnerability in maven package org.apache.camel:camel-rabbitmq
CVE-2020-16013 Vulnerability in maven package org.webjars.npm:electron
CVE-2022-28158 Vulnerability in maven package com.surenpi.jenkins:phoenix-autotest
CVE-2022-34803 Vulnerability in maven package org.jenkins-ci.plugins:opsgenie