CVE-2017-9799
First published: Wed Aug 09 2017(Updated: )
It was found that under some situations and configurations of Apache Storm 1.x before 1.0.4 and 1.1.x before 1.1.1, it is theoretically possible for the owner of a topology to trick the supervisor to launch a worker as a different, non-root, user. In the worst case this could lead to secure credentials of the other user being compromised.
Credit: security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache Storm | =1.0 | |
| Apache Storm | =1.0.1 | |
| Apache Storm | =1.0.2 | |
| Apache Storm | =1.0.3 | |
| Apache Storm | =1.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.securityfocus.com/bid/100235
- http://www.securitytracker.com/id/1039116
- https://lists.apache.org/thread.html/b9125bf507ed6f2ca6e85ba1a4b44e232aa70eeddfba2a9d8a954127@%3Cdev.storm.apache.org%3E
- https://lists.apache.org/thread.html/b9125bf507ed6f2ca6e85ba1a4b44e232aa70eeddfba2a9d8a954127%40%3Cdev.storm.apache.org%3E
- collector/nvd-index
- agent/severity
- agent/author
- agent/references
- agent/event
- agent/type
- agent/description
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/apache
- canonical/apache storm
- version/apache storm/1.0
- version/apache storm/1.0.1
- version/apache storm/1.0.2
- version/apache storm/1.0.3
- version/apache storm/1.1