CVE-2021-40865

Unsafe Pre-Authentication Deserialization In Workers

EPSS 65.6%CWE-502

Vexday Risk Score

15Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS —EPSS 65.6%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

25 Oct 2021Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

An Unsafe Deserialization vulnerability exists in the worker services of the Apache Storm supervisor server allowing pre-auth Remote Code Execution (RCE). Apache Storm 2.2.x users should upgrade to version 2.2.1 or 2.3.0. Apache Storm 2.1.x users should upgrade to version 2.1.1. Apache Storm 1.x users should upgrade to version 1.2.4

Affected products

Apache Software Foundation · Apache Storm

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://lists.apache.org/thread.html/r8d45e74299897b6734dd0f788c46a631009ce2eeb731523386f7a253%40%3Cuser.storm.apache.org%3E https://seclists.org/oss-sec/2021/q4/45