{ "document":{ "aggregate_severity":{ "namespace":"https://nvd.nist.gov/vuln-metrics/cvss", "text":"Critical" }, "category":"csaf_vex", "csaf_version":"2.0", "distribution":{ "tlp":{ "label":"WHITE", "url":"https:/www.first.org/tlp/" } }, "lang":"en", "notes":[ { "text":"storm security update", "category":"general", "title":"Synopsis" }, { "text":"An update for storm is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2.", "category":"general", "title":"Summary" }, { "text":"Apache Storm realtime computation system\n\nSecurity Fix(es):\n\nAn Unsafe Deserialization vulnerability exists in the worker services of the Apache Storm supervisor server allowing pre-auth Remote Code Execution (RCE). Apache Storm 2.2.x users should upgrade to version 2.2.1 or 2.3.0. Apache Storm 2.1.x users should upgrade to version 2.1.1. Apache Storm 1.x users should upgrade to version 1.2.4.(CVE-2021-40865)\nA Command Injection vulnerability exists in the getTopologyHistory service of the Apache Storm 2.x prior to 2.2.1 and Apache Storm 1.x prior to 1.2.4. A specially crafted thrift request to the Nimbus server allows Remote Code Execution (RCE) prior to authentication.(CVE-2021-38294)", "category":"general", "title":"Description" }, { "text":"An update for storm is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2.\n\nopenEuler Security has rated this update as having a security impact of critical. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.", "category":"general", "title":"Topic" }, { "text":"Critical", "category":"general", "title":"Severity" }, { "text":"storm", "category":"general", "title":"Affected Component" } ], "publisher":{ "issuing_authority":"openEuler security committee", "name":"openEuler", "namespace":"https://www.openeuler.org", "contact_details":"openeuler-security@openeuler.org", "category":"vendor" }, "references":[ { "summary":"openEuler-SA-2021-1415", "category":"self", "url":"https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2021-1415" }, { "summary":"CVE-2021-40865", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail?cveId=CVE-2021-40865&packageName=storm" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2021-40865" }, { "summary":"openEuler-SA-2021-1415 vex file", "category":"self", "url":"https://repo.openeuler.org/security/data/csaf/advisories/2021/csaf-openeuler-sa-2021-1415.json" } ], "title":"An update for storm is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2", "tracking":{ "initial_release_date":"2021-11-04T09:23:43+08:00", "revision_history":[ { "date":"2021-11-04T09:23:43+08:00", "summary":"Initial", "number":"1.0.0" }, { "date":"2024-10-31T09:23:43+08:00", "summary":"final", "number":"2.0.0" } ], "generator":{ "date":"2024-10-31T09:23:43+08:00", "engine":{ "name":"openEuler CSAF Tool V1.0" } }, "current_release_date":"2024-10-31T09:23:43+08:00", "id":"openEuler-SA-2021-1415", "version":"2.0.0", "status":"final" } }, "product_tree":{ "branches":[ { "name":"openEuler", "category":"vendor", "branches":[ { "name":"openEuler", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1" }, "product_id":"openEuler-20.03-LTS-SP1", "name":"openEuler-20.03-LTS-SP1" }, "name":"openEuler-20.03-LTS-SP1", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP2" }, "product_id":"openEuler-20.03-LTS-SP2", "name":"openEuler-20.03-LTS-SP2" }, "name":"openEuler-20.03-LTS-SP2", "category":"product_version" } ], "category":"product_name" }, { "name":"aarch64", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1" }, "product_id":"storm-1.2.4-1.oe1.aarch64.rpm(20.03-LTS-SP1)", "name":"storm-1.2.4-1.oe1.aarch64.rpm" }, "name":"storm-1.2.4-1.oe1.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP2" }, "product_id":"storm-1.2.4-1.oe1.aarch64.rpm(20.03-LTS-SP2)", "name":"storm-1.2.4-1.oe1.aarch64.rpm" }, "name":"storm-1.2.4-1.oe1.aarch64.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"src", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1" }, "product_id":"storm-1.2.4-1.oe1.src.rpm(20.03-LTS-SP1)", "name":"storm-1.2.4-1.oe1.src.rpm" }, "name":"storm-1.2.4-1.oe1.src.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP2" }, "product_id":"storm-1.2.4-1.oe1.src.rpm(20.03-LTS-SP2)", "name":"storm-1.2.4-1.oe1.src.rpm" }, "name":"storm-1.2.4-1.oe1.src.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"x86_64", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1" }, "product_id":"storm-1.2.4-1.oe1.x86_64.rpm(20.03-LTS-SP1)", "name":"storm-1.2.4-1.oe1.x86_64.rpm" }, "name":"storm-1.2.4-1.oe1.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP2" }, "product_id":"storm-1.2.4-1.oe1.x86_64.rpm(20.03-LTS-SP2)", "name":"storm-1.2.4-1.oe1.x86_64.rpm" }, "name":"storm-1.2.4-1.oe1.x86_64.rpm", "category":"product_version" } ], "category":"architecture" } ] } ], "relationships":[ { "relates_to_product_reference":"openEuler-20.03-LTS-SP1", "product_reference":"storm-1.2.4-1.oe1.aarch64.rpm(20.03-LTS-SP1)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP1:storm-1.2.4-1.oe1.aarch64", "name":"storm-1.2.4-1.oe1.aarch64 as a component of openEuler-20.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP2", "product_reference":"storm-1.2.4-1.oe1.aarch64.rpm(20.03-LTS-SP2)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP2:storm-1.2.4-1.oe1.aarch64", "name":"storm-1.2.4-1.oe1.aarch64 as a component of openEuler-20.03-LTS-SP2" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP1", "product_reference":"storm-1.2.4-1.oe1.src.rpm(20.03-LTS-SP1)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP1:storm-1.2.4-1.oe1.src", "name":"storm-1.2.4-1.oe1.src as a component of openEuler-20.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP2", "product_reference":"storm-1.2.4-1.oe1.src.rpm(20.03-LTS-SP2)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP2:storm-1.2.4-1.oe1.src", "name":"storm-1.2.4-1.oe1.src as a component of openEuler-20.03-LTS-SP2" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP1", "product_reference":"storm-1.2.4-1.oe1.x86_64.rpm(20.03-LTS-SP1)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP1:storm-1.2.4-1.oe1.x86_64", "name":"storm-1.2.4-1.oe1.x86_64 as a component of openEuler-20.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP2", "product_reference":"storm-1.2.4-1.oe1.x86_64.rpm(20.03-LTS-SP2)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP2:storm-1.2.4-1.oe1.x86_64", "name":"storm-1.2.4-1.oe1.x86_64 as a component of openEuler-20.03-LTS-SP2" }, "category":"default_component_of" } ] }, "vulnerabilities":[ { "cve":"CVE-2021-40865", "notes":[ { "text":"An Unsafe Deserialization vulnerability exists in the worker services of the Apache Storm supervisor server allowing pre-auth Remote Code Execution (RCE). Apache Storm 2.2.x users should upgrade to version 2.2.1 or 2.3.0. Apache Storm 2.1.x users should upgrade to version 2.1.1. Apache Storm 1.x users should upgrade to version 1.2.4.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-20.03-LTS-SP1:storm-1.2.4-1.oe1.aarch64", "openEuler-20.03-LTS-SP2:storm-1.2.4-1.oe1.aarch64", "openEuler-20.03-LTS-SP1:storm-1.2.4-1.oe1.src", "openEuler-20.03-LTS-SP2:storm-1.2.4-1.oe1.src", "openEuler-20.03-LTS-SP1:storm-1.2.4-1.oe1.x86_64", "openEuler-20.03-LTS-SP2:storm-1.2.4-1.oe1.x86_64" ] }, "remediations":[ { "product_ids":[ "openEuler-20.03-LTS-SP1:storm-1.2.4-1.oe1.aarch64", "openEuler-20.03-LTS-SP2:storm-1.2.4-1.oe1.aarch64", "openEuler-20.03-LTS-SP1:storm-1.2.4-1.oe1.src", "openEuler-20.03-LTS-SP2:storm-1.2.4-1.oe1.src", "openEuler-20.03-LTS-SP1:storm-1.2.4-1.oe1.x86_64", "openEuler-20.03-LTS-SP2:storm-1.2.4-1.oe1.x86_64" ], "details":"storm security update", "category":"vendor_fix", "url":"https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2021-1415" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"CRITICAL", "baseScore":9.8, "vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version":"3.1" }, "products":[ "openEuler-20.03-LTS-SP1:storm-1.2.4-1.oe1.aarch64", "openEuler-20.03-LTS-SP2:storm-1.2.4-1.oe1.aarch64", "openEuler-20.03-LTS-SP1:storm-1.2.4-1.oe1.src", "openEuler-20.03-LTS-SP2:storm-1.2.4-1.oe1.src", "openEuler-20.03-LTS-SP1:storm-1.2.4-1.oe1.x86_64", "openEuler-20.03-LTS-SP2:storm-1.2.4-1.oe1.x86_64" ] } ], "threats":[ { "details":"Critical", "category":"impact" } ], "title":"CVE-2021-40865" }, { "cve":"CVE-2021-38294", "notes":[ { "text":"A Command Injection vulnerability exists in the getTopologyHistory service of the Apache Storm 2.x prior to 2.2.1 and Apache Storm 1.x prior to 1.2.4. A specially crafted thrift request to the Nimbus server allows Remote Code Execution (RCE) prior to authentication.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-20.03-LTS-SP1:storm-1.2.4-1.oe1.aarch64", "openEuler-20.03-LTS-SP2:storm-1.2.4-1.oe1.aarch64", "openEuler-20.03-LTS-SP1:storm-1.2.4-1.oe1.src", "openEuler-20.03-LTS-SP2:storm-1.2.4-1.oe1.src", "openEuler-20.03-LTS-SP1:storm-1.2.4-1.oe1.x86_64", "openEuler-20.03-LTS-SP2:storm-1.2.4-1.oe1.x86_64" ] }, "remediations":[ { "product_ids":[ "openEuler-20.03-LTS-SP1:storm-1.2.4-1.oe1.aarch64", "openEuler-20.03-LTS-SP2:storm-1.2.4-1.oe1.aarch64", "openEuler-20.03-LTS-SP1:storm-1.2.4-1.oe1.src", "openEuler-20.03-LTS-SP2:storm-1.2.4-1.oe1.src", "openEuler-20.03-LTS-SP1:storm-1.2.4-1.oe1.x86_64", "openEuler-20.03-LTS-SP2:storm-1.2.4-1.oe1.x86_64" ], "details":"storm security update", "category":"vendor_fix", "url":"https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2021-1415" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"CRITICAL", "baseScore":9.8, "vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version":"3.1" }, "products":[ "openEuler-20.03-LTS-SP1:storm-1.2.4-1.oe1.aarch64", "openEuler-20.03-LTS-SP2:storm-1.2.4-1.oe1.aarch64", "openEuler-20.03-LTS-SP1:storm-1.2.4-1.oe1.src", "openEuler-20.03-LTS-SP2:storm-1.2.4-1.oe1.src", "openEuler-20.03-LTS-SP1:storm-1.2.4-1.oe1.x86_64", "openEuler-20.03-LTS-SP2:storm-1.2.4-1.oe1.x86_64" ] } ], "threats":[ { "details":"Critical", "category":"impact" } ], "title":"CVE-2021-38294" } ] }