Date: Wed, 9 Aug 2017 15:22:55 -0400 From: "P. Taylor Goetz" <ptgoetz@...che.org> To: user@...rm.apache.org, dev@...rm.apache.org Cc: security@...che.org, oss-security@...ts.openwall.com, bugtraq@...urityfocus.com Subject: [CVE-2017-9799] Apache Storm Possible Code Execution As A Different User Severity: High Vendor: The Apache Software Foundation Versions Affected: Apache Storm 1.0.0, 1.0.1, 1.0.2, 1.0.3 Apache Storm 1.1.0 Description: It was found that under some situations and configurations of storm it is theoretically possible for the owner of a topology to trick the supervisor to launch a worker as a different, non-root, user. In the worst case this could lead to secure credentials of the other user being compromised. This vulnerability only applies to Apache Storm installations with security components enabled. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Storm 1.0.4 or later - Upgrade to Apache Storm 1.1.1 or later Apache Storm 1.1.1 and 1.0.4 can be downloaded here: http://storm.apache.org/downloads.html Credit: This issue was identified by the Apche Storm PMC References: https://github.com/apache/storm/blob/v1.1.1/SECURITY.md <https://github.com/apache/storm/blob/v1.1.1/SECURITY.md> https://github.com/apache/storm/blob/v1.0.4/SECURITY.md <https://github.com/apache/storm/blob/v1.0.4/SECURITY.md>
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ