===================================================================== CERT-Renater Note d'Information No. 2021/VULN552 _____________________________________________________________________ DATE : 22/10/2021 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Apache Storm versions prior to 2.3.0, 2.2.1, 1.2.4. ===================================================================== http://mail-archives.apache.org/mod_mbox/www-announce/202110.mbox/%3cdb5524c6-ea41-9345-46c6-0d369cd2f4b8@apache.org%3e http://mail-archives.apache.org/mod_mbox/www-announce/202110.mbox/%3ca6cbea1b-9395-eee3-8960-fd58e80bc5f8@apache.org%3e _____________________________________________________________________ CVE-2021-38294 Apache Storm: Shell Command Injection Vulnerability in Nimbus Thrift Server Severity: high Description: A Command Injection vulnerability exists in the getTopologyHistory service of the Apache Storm 2.x prior to 2.2.1 and Apache Storm 1.x prior to 1.2.4. A specially crafted thrift request to the Nimbus server allows Remote Code Execution (RCE) prior to authentication. Mitigation: Apache Storm 2.2.x users should upgrade to version 2.2.1 or 2.3.0 Apache Storm 2.1.x users should upgrade to version 2.1.1 Apache Storm 1.x users should upgrade to version 1.2.4 Credit: Apache Storm would like to thank @pwntester Alvaro Muñoz of the GitHub Security Lab team for reporting this issue. _____________________________________________________________________ CVE-2021-40865 Apache Storm: Unsafe Pre-Authentication Deserialization In Workers Severity: high Description: An Unsafe Deserialization vulnerability exists in the worker services of the Apache Storm supervisor server allowing pre-auth Remote Code Execution (RCE). Apache Storm 2.2.x users should upgrade to version 2.2.1 or 2.3.0. Apache Storm 2.1.x users should upgrade to version 2.1.1. Apache Storm 1.x users should upgrade to version 1.2.4 Mitigation: Apache Storm 2.2.x users should upgrade to version 2.2.1 or 2.3.0 Apache Storm 2.1.x users should upgrade to version 2.1.1 Apache Storm 1.x users should upgrade to version 1.2.4 Credit: Apache Storm would like to thank @pwntester Alvaro Muñoz of the GitHub Security Lab team for reporting this issue. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================