SUSE CVE-2018-11779

In Apache Storm versions 1.1.0 to 1.2.2, when the user is using the storm-kafka-client or storm-kafka modules, it is possible to cause the Storm UI daemon to deserialize user provided bytes into a Java class...

GHSA-25PC-85QF-6J69 Deserialization of Untrusted Data in Apache Storm

In Apache Storm versions 1.1.0 to 1.2.2, when the user is using the storm-kafka-client or storm-kafka modules, it is possible to cause the Storm UI daemon to deserialize user provided bytes into a Java class...

org.apache.storm:storm-kafka-client-examples (>=1.1.0 <=1.2.2), org.apache.storm:storm-kafka-examples (>=1.1.0 <=1.2.2) potentially affected by CVE-2018-11779 via org.apache.storm:storm-kafka (>=1.1.0 <=1.2.2)

org.apache.storm:storm-kafka MAVEN version =1.1.0, =1.1.0, =1.1.0, =1.2.2 Source cves: CVE-2018-11779 Source advisory: OSV:GHSA-25PC-85QF-6J69...

org.apache.storm:storm-kafka-client-examples (>=1.1.0 <=1.2.2), uk.co.gresearch.siembol:config-editor-sync (>=1.0.0 <=1.3.0) potentially affected by CVE-2018-11779 via org.apache.storm:storm-kafka-client (>=1.1.0 <=1.2.2)

org.apache.storm:storm-kafka-client MAVEN version =1.1.0, =1.1.0, =1.0.0, =1.3.0 Source cves: CVE-2018-11779 Source advisory: OSV:GHSA-25PC-85QF-6J69...

CVE-2018-11779

Technical details about CVE-2018-11779 are not provided in the supplied documents. Monitor for updates from official advisories.

Deserialization Of Untrusted Object

Apache Storm UI Deamon is vulnerable to deserialization of untrusted object. When it is using with storm-kafka-client or storm-kafka modules, it does not filter the input of untrusted bytes before deserialization, allowing an attacker to provide malicious bytes to abuse the logic of the applicati...