Severity: High Vendor: The Apache Software Foundation
Versions Affected: Apache Storm 1.0.0, 1.0.1, 1.0.2, 1.0.3 Apache Storm 1.1.0 Description: It was found that under some situations and configurations of storm it is theoretically possible for the owner of a topology to trick the supervisor to launch a worker as a different, non-root, user. In the worst case this could lead to secure credentials of the other user being compromised. This vulnerability only applies to Apache Storm installations with security components enabled. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Storm 1.0.4 or later - Upgrade to Apache Storm 1.1.1 or later Apache Storm 1.1.1 and 1.0.4 can be downloaded here: http://storm.apache.org/downloads.html Credit: This issue was identified by the Apche Storm PMC References: https://github.com/apache/storm/blob/v1.1.1/SECURITY.md <https://github.com/apache/storm/blob/v1.1.1/SECURITY.md> https://github.com/apache/storm/blob/v1.0.4/SECURITY.md <https://github.com/apache/storm/blob/v1.0.4/SECURITY.md>