Unsafe Pre-Authentication Deserialization In Workers
CVE-2021-40865

9.8CRITICAL

Key Information:

Vendor: Apache
Status: Apache Storm
Vendor: CVE Published:; 25 October 2021

Badges

👾 Exploit Exists🟡 Public PoC

Summary

An Unsafe Deserialization vulnerability exists in the worker services of the Apache Storm supervisor server allowing pre-auth Remote Code Execution (RCE). Apache Storm 2.2.x users should upgrade to version 2.2.1 or 2.3.0. Apache Storm 2.1.x users should upgrade to version 2.1.1. Apache Storm 1.x users should upgrade to version 1.2.4

Affected Version(s)

Apache Storm v1.0.0

Apache Storm Apache Storm

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2021-40865
Created by hktalent

References

https://lists.apache.org/thread.html/r8d45e74299897b6734d...

x_refsource_MISC

https://seclists.org/oss-sec/2021/q4/45

x_refsource_MISC

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

🟡
Public PoC available
Nov 26, 2021
👾
Exploit known to exist
Nov 26, 2021
Vulnerability published
Oct 25, 2021
Vulnerability Reserved
Sep 12, 2021

Credit

Apache Storm would like to thank @pwntester Alvaro Muñoz of the GitHub Security Lab team for reporting this issue.