What is CVE-2021-40865?

CVE-2021-40865 is a vulnerability in Apache Software Foundation Storm, classified under Deserialization of Untrusted Data. Published 2021-10-25.

Is CVE-2021-40865 known to be exploited?

8 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Deserialization in Apache Software Foundation Storm

CVE-2021-40865

An Unsafe Deserialization vulnerability exists in the worker services of the Apache Storm supervisor server allowing pre-auth Remote Code Execution (RCE). Apache Storm 2.2.x users should upgrade to version 2.2.1 or 2.3.0. Apache Storm 2.1…

Vulnerability class: Insecure Deserialization

EPSS: 0.656 (99.2th percentile) — read the EPSS interpretation.

Affected products

Apache Software Foundation Storm — versions v1.0.0, Apache Storm

Weakness classification (CWE)

CWE-502 — Deserialization of Untrusted Data

Public proof-of-concept exploits

References

lists.apache.org/thread.html/r8d45e74299897b6734dd0f788c46a631009ce2eeb73152338… (x_refsource_MISC)
seclists.org/oss-sec/2021/q4/45 (x_refsource_MISC)

Frequently asked questions

What is CVE-2021-40865?: CVE-2021-40865 is a vulnerability in Apache Software Foundation Storm, classified under Deserialization of Untrusted Data. Published 2021-10-25.
Is CVE-2021-40865 known to be exploited?: 8 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.