Shell Command Injection Vulnerability in Nimbus Thrift Server
CVE-2021-38294

9.8CRITICAL

Key Information:

Vendor
Apache
Status
Apache Storm
Vendor
CVE Published:
25 October 2021

Badges

👾 Exploit Exists🟡 Public PoC🟣 EPSS 91%

Summary

A Command Injection vulnerability exists in the getTopologyHistory service of the Apache Storm 2.x prior to 2.2.1 and Apache Storm 1.x prior to 1.2.4. A specially crafted thrift request to the Nimbus server allows Remote Code Execution (RCE) prior to authentication.

Affected Version(s)

Apache Storm Apache Storm

Apache Storm Non-Windows v1.0.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

Metasploit exploit module for CVE-2021-38294
Created by Rapid7

References

https://lists.apache.org/thread.html/r5fe881f6ca883908b7a...
x_refsource_MISC
https://seclists.org/oss-sec/2021/q4/44
x_refsource_MISC
http://packetstormsecurity.com/files/165019/Apache-Storm-...
x_refsource_MISC

EPSS Score

91% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Apache Storm would like to thank @pwntester Alvaro Muñoz of the GitHub Security Lab team for reporting this issue.
.