Vulnerability Details CVE-2021-40865
An Unsafe Deserialization vulnerability exists in the worker services of the Apache Storm supervisor server allowing pre-auth Remote Code Execution (RCE). Apache Storm 2.2.x users should upgrade to version 2.2.1 or 2.3.0. Apache Storm 2.1.x users should upgrade to version 2.1.1. Apache Storm 1.x users should upgrade to version 1.2.4
Exploit prediction scoring system (EPSS) score
EPSS Score 0.547
EPSS Ranking 97.9%
CVSS Severity
CVSS v3 Score 9.8
CVSS v2 Score 7.5
References
- https://lists.apache.org/thread.html/r8d45e74299897b6734dd0f788c46a631009ce2eeb731523386f7a253%40%3Cuser.storm.apache.org%3E
- https://seclists.org/oss-sec/2021/q4/45
- https://lists.apache.org/thread.html/r8d45e74299897b6734dd0f788c46a631009ce2eeb731523386f7a253%40%3Cuser.storm.apache.org%3E
- https://seclists.org/oss-sec/2021/q4/45
Products affected by CVE-2021-40865
-
cpe:2.3:a:apache:storm:1.0.0
-
cpe:2.3:a:apache:storm:1.0.1
-
cpe:2.3:a:apache:storm:1.0.2
-
cpe:2.3:a:apache:storm:1.0.3
-
cpe:2.3:a:apache:storm:1.0.4
-
cpe:2.3:a:apache:storm:1.0.5
-
cpe:2.3:a:apache:storm:1.0.6
-
cpe:2.3:a:apache:storm:1.0.7
-
cpe:2.3:a:apache:storm:1.1
-
cpe:2.3:a:apache:storm:1.1.0
-
cpe:2.3:a:apache:storm:1.1.1
-
cpe:2.3:a:apache:storm:1.1.2
-
cpe:2.3:a:apache:storm:1.1.3
-
cpe:2.3:a:apache:storm:1.2.0
-
cpe:2.3:a:apache:storm:1.2.1
-
cpe:2.3:a:apache:storm:1.2.2
-
cpe:2.3:a:apache:storm:1.2.3
-
cpe:2.3:a:apache:storm:2.1.0
-
cpe:2.3:a:apache:storm:2.2.0