CVE-2017-9799: Apache Storm it is possible for the owner of a topology to trick the supervisor to launch a worker as a different, non-root, user
8.8
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.74476%
CWE
-
Published
10/17/2018
Updated
1/9/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.apache.storm:storm-core | maven | = 1.1.0 | 1.1.1 |
org.apache.storm:storm-core | maven | >= 1.0.0, < 1.0.4 | 1.0.4 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from improper stream handling in Nimbus' downloadChunk function. The patch modifies:
- Stream type from BufferFileInputStream to BufferInputStream
- Adds explicit stream closure
- Improves error messaging
These changes indicate the original implementation allowed:
- Potential stream reuse/leakage via unclosed BufferFileInputStream
- Incomplete error context for stream identification
As downloadChunk is part of topology file distribution logic, improper stream management could let attackers interfere with worker process initialization. The function's role in processing topology artifacts makes it the entry point for user-controlled data that could be manipulated to trigger the user context switch.