OESA-2021-1415

An Unsafe Deserialization vulnerability exists in the worker services of the Apache Storm supervisor server allowing pre-auth Remote Code Execution (RCE). Apache Storm 2.2.x users should upgrade to version 2.2.1 or 2.3.0. Apache Storm 2.1.x users should upgrade to version 2.1.1. Apache Storm 1.x users should upgrade to version 1.2.4.(CVE-2021-40865) A Command Injection vulnerability exists in the getTopologyHistory service of the Apache Storm 2.x prior to 2.2.1 and Apache Storm 1.x prior to 1.2.4. A specially crafted thrift request to the Nimbus server allows Remote Code Execution (RCE) prior to authentication.(CVE-2021-38294)

Database specific

{
    "severity": "Critical"
}

References

Affected packages

openEuler:20.03-LTS-SP1 / storm

Package

Name: storm
Purl: pkg:rpm/openEuler/storm&distro=openEuler-20.03-LTS-SP1

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.2.4-1.oe1

Ecosystem specific

{
    "src": [
        "storm-1.2.4-1.oe1.src.rpm"
    ],
    "aarch64": [
        "storm-1.2.4-1.oe1.aarch64.rpm"
    ],
    "x86_64": [
        "storm-1.2.4-1.oe1.x86_64.rpm"
    ]
}

Database specific

source

"https://repo.openeuler.org/security/data/osv/OESA-2021-1415.json"

openEuler:20.03-LTS-SP2 / storm

Package

Name: storm
Purl: pkg:rpm/openEuler/storm&distro=openEuler-20.03-LTS-SP2

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.2.4-1.oe1

Ecosystem specific

{
    "src": [
        "storm-1.2.4-1.oe1.src.rpm"
    ],
    "aarch64": [
        "storm-1.2.4-1.oe1.aarch64.rpm"
    ],
    "x86_64": [
        "storm-1.2.4-1.oe1.x86_64.rpm"
    ]
}

Database specific

source

"https://repo.openeuler.org/security/data/osv/OESA-2021-1415.json"