Severity: High

Vendor: The Apache Software Foundation

Versions Affected:
Apache Storm 1.0.0, 1.0.1, 1.0.2, 1.0.3
Apache Storm 1.1.0

It was found that under some situations and configurations of storm it is 
theoretically possible for the owner of a topology to trick the supervisor to 
launch a worker as a different, non-root, user. In the worst case this could 
lead to secure credentials of the other user being compromised.  This 
vulnerability only applies to Apache Storm installations with security 
components enabled.

Users of the affected versions should apply one of the following mitigations:

- Upgrade to Apache Storm 1.0.4 or later
- Upgrade to Apache Storm 1.1.1 or later

Apache Storm 1.1.1 and 1.0.4 can be downloaded here:

This issue was identified by the Apche Storm PMC


Reply via email to