Remote code execution in Apache Storm

Published: 2018-07-11 12:11:45
Severity High
Patch available YES
Number of vulnerabilities 1
CVE ID CVE-2018-1331
CVSSv3 8.6 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CWE ID CWE-264
Exploitation vector Network
Public exploit N/A
Vulnerable software Apache Storm
Vulnerable software versions Apache Storm 0.10.2
Apache Storm 0.10.1
Apache Storm 0.10.0

Show more

Vendor URL Apache Foundation

Security Advisory

1) Remote code execution

Description

The vulnerability allows a remote authenticated attacker to execute arbitrary code on the target system.

The vulnerability exists due to unspecified flaw. A remote attacker can on a secure storm cluster can execute arbitrary code with the privileges of a different user.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Remediation

The vulnerability is fixed in the versions 1.1.3, 1.2.2.

External links

http://storm.apache.org/2018/06/04/storm113-released.html
http://storm.apache.org/2018/06/04/storm122-released.html

Back to List