An update for storm is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2021-1415 Final 1.0 1.0 2021-11-04 Initial 2021-11-04 2021-11-04 openEuler SA Tool V1.0 2021-11-04 storm security update An update for storm is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2. Apache Storm realtime computation system Security Fix(es): An Unsafe Deserialization vulnerability exists in the worker services of the Apache Storm supervisor server allowing pre-auth Remote Code Execution (RCE). Apache Storm 2.2.x users should upgrade to version 2.2.1 or 2.3.0. Apache Storm 2.1.x users should upgrade to version 2.1.1. Apache Storm 1.x users should upgrade to version 1.2.4.(CVE-2021-40865) A Command Injection vulnerability exists in the getTopologyHistory service of the Apache Storm 2.x prior to 2.2.1 and Apache Storm 1.x prior to 1.2.4. A specially crafted thrift request to the Nimbus server allows Remote Code Execution (RCE) prior to authentication.(CVE-2021-38294) An update for storm is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2. openEuler Security has rated this update as having a security impact of critical. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Critical storm https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1415 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2021-40865 https://nvd.nist.gov/vuln/detail/CVE-2021-40865 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP2 storm-1.2.4-1.oe1.noarch.rpm storm-1.2.4-1.oe1.noarch.rpm storm-1.2.4-1.oe1.src.rpm storm-1.2.4-1.oe1.src.rpm An Unsafe Deserialization vulnerability exists in the worker services of the Apache Storm supervisor server allowing pre-auth Remote Code Execution (RCE). Apache Storm 2.2.x users should upgrade to version 2.2.1 or 2.3.0. Apache Storm 2.1.x users should upgrade to version 2.1.1. Apache Storm 1.x users should upgrade to version 1.2.4. 2021-11-04 CVE-2021-40865 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP2 Critical 9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H storm security update 2021-11-04 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1415 A Command Injection vulnerability exists in the getTopologyHistory service of the Apache Storm 2.x prior to 2.2.1 and Apache Storm 1.x prior to 1.2.4. A specially crafted thrift request to the Nimbus server allows Remote Code Execution (RCE) prior to authentication. 2021-11-04 CVE-2021-38294 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP2 Critical 9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H storm security update 2021-11-04 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1415