Apache Storm Deserialization Vulnerability Leading to Remote Code Execution

A deserialization vulnerability has been identified in Apache Storm versions prior to 2.8.6. When topology credentials are processed through the Nimbus Thrift API, Storm decodes the base64-encoded Kerberos Ticket Granting Ticket (TGT) using ObjectInputStream.readObject() without any validation or class filtering. This flaw allows an authenticated user with the right to submit topologies to inject a malicious serialized object into the TGT credential field, potentially executing remote code in both the Nimbus and Worker JVMs.

Impact

Exploitation of this vulnerability allows for remote code execution on the servers running Apache Storm, affecting both the Nimbus and Worker components.

Remediation

Users of Apache Storm 2.x should upgrade to version 2.8.6. For those unable to upgrade immediately, it is recommended to apply a monkey-patch that adds an ObjectInputFilter allow-list to the ClientAuthUtils.deserializeKerberosTicket() method, restricting deserialization to javax.security.auth.kerberos.KerberosTicket and its known dependencies. Instructions for this workaround are available in the release notes for version 2.8.6.