[CVEID]:CVE-2018-11779[PRODUCT]:Apache Storm[VERSION]:Apache Storm
1.1.0 to 1.2.2[PROBLEMTYPE]:CWE-502: Deserialization of Untrusted
Data[DESCRIPTION]:In Apache Storm versions 1.1.0 to 1.2.2,
when the user is using the storm-kafka-client or
storm-kafka modules,
it is pos
[CVEID]:CVE-2018-1320[PRODUCT]:Apache Storm[VERSION]:Apache Storm
0.9.1-incubating to 1.2.2[PROBLEMTYPE]:CWE-20: Input
Validation[DESCRIPTION]:Apache Storm versions 0.9.1-incubating to
1.2.2
use Thrift library versions vulnerable to CVE-2018-1320.
Mitigation: Upgrade to Apache Storm
versions 0.9.1-incubating to 1.2.2, it
is possible to read files off the
host's file system that were not intended to be
accessible via these endpoints.
Mitigation: Upgrade to Apache Storm 1.2.3 or later.
Credit: Stig Rohde Døssing for discovery and fix
The Apache Storm community is pleased to announce the release of Apache
Storm version 1.2.3.
Storm is a distributed, fault-tolerant, and high-performance realtime
computation system that provides strong guarantees on the processing of
data. You can read more about Storm on the project website:
h
