Plattform
java
Komponente
org.apache.storm:storm-client
Behoben in
2.8.6
2.8.6
CVE-2026-35337 describes an Insecure Deserialization vulnerability found in Apache Storm, specifically when processing topology credentials through the Nimbus Thrift API. This flaw allows an authenticated user to potentially execute arbitrary code on both the Nimbus and Worker JVMs by submitting a crafted serialized object. Versions affected are those prior to 2.8.6; upgrading to version 2.8.6 is the recommended fix.
CVE-2026-35337 in Apache Storm Client affects versions prior to 2.8.6. It enables remote code execution (RCE) through the deserialization of untrusted data. An authenticated user with topology submission privileges can craft a malicious serialized object within the 'TGT' credential field. This object is then deserialized using ObjectInputStream.readObject() in both Nimbus and Worker nodes, without any class filtering or validation, allowing arbitrary code execution. The CVSS score for this vulnerability is 8.8, indicating a high-severity risk. Successful exploitation could lead to complete control of the Storm cluster.
The vulnerability is exploited through the Nimbus Thrift API, specifically when submitting a topology with crafted credentials. The attacker needs to authenticate and have topology submission permissions. The attack involves creating a malicious serialized object that, upon deserialization, executes arbitrary code on the Nimbus or Worker server. The attack complexity is relatively low, requiring only manipulation of a field in the API request. While authentication limits the attack scope, the possibility of RCE makes it a significant threat. The lack of class validation during deserialization is the root cause of the vulnerability.
Exploit-Status
EPSS
0.42% (62% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2026-35337 is to upgrade Apache Storm Client to version 2.8.6 or later. This version includes fixes to prevent insecure deserialization of data. As a temporary measure, restrict access to the Nimbus Thrift API to trusted users and systems. Implementing a Web Application Firewall (WAF) to inspect and filter incoming traffic for malicious patterns is also recommended. Monitoring Nimbus and Worker logs for suspicious activity can help detect and respond to potential attacks. Upgrading is the most effective and recommended solution.
Actualice a la versión 2.8.6 de Apache Storm. Si no puede actualizar inmediatamente, aplique un parche a ObjectInputFilter para restringir las clases deserializadas a javax.security.auth.kerberos.KerberosTicket y sus dependencias conocidas, siguiendo las instrucciones en las notas de la versión 2.8.6.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
Apache Storm is an open-source distributed real-time computation system.
It allows for remote code execution, potentially compromising the entire Storm cluster's security.
Restrict access to the Nimbus Thrift API and monitor logs for suspicious activity.
Vulnerability scanners can detect the Storm version and alert on this vulnerability.
If your version is prior to 2.8.6, it is vulnerable.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine pom.xml-Datei hoch und wir sagen dir sofort, ob du betroffen bist.