CVE-2021-40865: Deserialization of Untrusted Data

October 27, 2021 (updated October 29, 2021)

An Unsafe Deserialization vulnerability exists in the worker services of the Apache Storm supervisor server allowing pre-auth Remote Code Execution (RCE). Apache Storm 2.2.x users should upgrade to version 2.2.1 or 2.3.0. Apache Storm 2.1.x users should upgrade to version 2.1.1. Apache Storm 1.x users should upgrade to version 1.2.4

References

github.com/advisories/GHSA-w729-7633-2fw5
lists.apache.org/thread.html/r8d45e74299897b6734dd0f788c46a631009ce2eeb731523386f7a253%40%3Cuser.storm.apache.org%3E
nvd.nist.gov/vuln/detail/CVE-2021-40865
seclists.org/oss-sec/2021/q4/45

Detect and mitigate CVE-2021-40865 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →