What is CVE-2018-11779?

CVE-2018-11779 is a vulnerability in Apache Storm, classified under Deserialization of Untrusted Data. Published 2019-07-25.

Is CVE-2018-11779 known to be exploited?

2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Deserialization in Apache Storm

CVE-2018-11779

In Apache Storm versions 1.1.0 to 1.2.2, when the user is using the storm-kafka-client or storm-kafka modules, it is possible to cause the Storm UI daemon to deserialize user provided bytes into a Java class.

Vulnerability class: Insecure Deserialization

EPSS: 0.015 (81.3th percentile) — read the EPSS interpretation.

Affected products

Apache Storm — versions 1.1.0 to 1.2.2

Weakness classification (CWE)

CWE-502 — Deserialization of Untrusted Data

Public proof-of-concept exploits

ARPSyndicate/cvemon
PalindromeLabs/Java-Deserialization-CVEs

References

[storm-user] 20190724 [CVE-2018-11779] Apache Storm UI Java deserialization vulnerability (mailing-list, x_refsource_MLIST)

Frequently asked questions

What is CVE-2018-11779?: CVE-2018-11779 is a vulnerability in Apache Storm, classified under Deserialization of Untrusted Data. Published 2019-07-25.
Is CVE-2018-11779 known to be exploited?: 2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.