PT-2017-19193 · Apache · Apache Storm

Published

2017-08-09

Updated

2019-10-03

CVE-2017-9799

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Apache Storm versions 1.0.0 through 1.0.3 Apache Storm versions 1.1.0 through 1.1.0

Description A security issue was discovered in Apache Storm where, under certain situations and configurations, the owner of a topology could potentially trick the supervisor into launching a worker as a different, non-root user. This could lead to the compromise of secure credentials of the other user.

Recommendations For Apache Storm versions 1.0.0 through 1.0.3, update to version 1.0.4 or later. For Apache Storm versions 1.1.0 through 1.1.0, update to version 1.1.1 or later.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2017-9799

GHSA-X825-RJWW-2245

SUSE-SU-2017:3000-1

Affected Products

Apache Storm

PT-2017-19193 · Apache · Apache Storm

CVE-2017-9799

Related Identifiers

Affected Products

References · 13