K.Metrics

**Name of the Vulnerable Software and Affected Versions** Apache Storm versions prior to 2.8.6 **Description** An issue exists when processing topology credentials submitted via the 'Nimbus Thrift API'. The software deserializes the base64-encoded TGT blob using the `readObject()` function of `ObjectInputStream` without class filtering or validation. An authenticated user with topology submission rights can provide a crafted serialized object in the `TGT` credential field, which may lead to remote code execution in both the Nimbus and Worker JVMs. **Recommendations** Upgrade to version 2.8.6. As a temporary workaround, monkey-patch an ObjectInputFilter allow-list to `deserializeKerberosTicket()` in ClientAuthUtils to restrict deserialized classes to javax.security.auth.kerberos.KerberosTicket and its known dependencies.