Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 9 Aug 2017 15:22:55 -0400
From: "P. Taylor Goetz" <ptgoetz@...che.org>
To: user@...rm.apache.org,
 dev@...rm.apache.org
Cc: security@...che.org,
 oss-security@...ts.openwall.com,
 bugtraq@...urityfocus.com
Subject: [CVE-2017-9799] Apache Storm Possible Code Execution As A Different
 User 

Severity: High

Vendor: The Apache Software Foundation

Versions Affected:
Apache Storm 1.0.0, 1.0.1, 1.0.2, 1.0.3
Apache Storm 1.1.0

Description:
It was found that under some situations and configurations of storm it is theoretically possible for the owner of a topology to trick the supervisor to launch a worker as a different, non-root, user. In the worst case this could lead to secure credentials of the other user being compromised.  This vulnerability only applies to Apache Storm installations with security components enabled.

Mitigation:
Users of the affected versions should apply one of the following mitigations:

- Upgrade to Apache Storm 1.0.4 or later
- Upgrade to Apache Storm 1.1.1 or later

Apache Storm 1.1.1 and 1.0.4 can be downloaded here:

http://storm.apache.org/downloads.html

Credit:
This issue was identified by the Apche Storm PMC

References:
https://github.com/apache/storm/blob/v1.1.1/SECURITY.md <https://github.com/apache/storm/blob/v1.1.1/SECURITY.md>
https://github.com/apache/storm/blob/v1.0.4/SECURITY.md <https://github.com/apache/storm/blob/v1.0.4/SECURITY.md>


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ