CVE-2015-3188 — Apache Storm remote code execution vulnerability

Description

The UI daemon in Apache Storm 0.10.0-beta allows remote users to run arbitrary code as the user running the web server. With kerberos authentication this could allow impersonation of arbitrary users on other systems, including HDFS and HBase.

How to fix CVE-2015-3188

To remediate CVE-2015-3188, upgrade the affected package to a fixed version below.

Maven/org.apache.storm:storm—upgrade to 0.10.0-beta1 or later

Is CVE-2015-3188 being exploited?

Moderate — EPSS is 12.4%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

>= 0.10.0-beta, < 0.10.0-beta1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2015-3188
WEBpacketstormsecurity.com/files/132417/Apache-Storm-0.10.0-beta-Code-Execution.html
WEBgithub.com/apache/storm/blob/v0.10.0-beta1/SECURITY.md
WEBgithub.com/apache/storm/blob/v0.10.0-beta1/STORM-UI-REST-API.md