Description
An Unsafe Deserialization vulnerability exists in the worker services of the Apache Storm supervisor server allowing pre-auth Remote Code Execution (RCE). Apache Storm 2.2.x users should upgrade to version 2.2.1 or 2.3.0. Apache Storm 2.1.x users should upgrade to version 2.1.1. Apache Storm 1.x users should upgrade to version 1.2.4
Remediation
References
https://seclists.org/oss-sec/2021/q4/45
https://lists.apache.org/thread.html/r8d45e74299897b6734dd0f788c46a631009ce2eeb731523386f7a253%40%3Cuser.storm.apache.org%3E
Related Vulnerabilities
CVE-2019-16552 Vulnerability in maven package com.sonyericsson.hudson.plugins.gerrit:gerrit-trigger
CVE-2021-21349 Vulnerability in maven package com.thoughtworks.xstream:xstream
CVE-2020-15135 Vulnerability in npm package save-server
CVE-2022-45135 Vulnerability in maven package org.apache.cocoon:cocoon-databases-impl