CVE-2021-38294 – This vulnerability allows unauthenticated remot... (How to Fix)

Q: What is the severity of CVE-2021-38294?

CVE-2021-38294 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows unauthenticated remote attackers to execute arbitrary commands on Apache Storm Nimbus servers by sending specially crafted Thrift requests. It affects Apache Storm 1.x before 1.2.4 and 2.x before 2.2.1. Attackers can gain full control of vulnerable systems without any authentication.

📋 TL;DR

This vulnerability allows unauthenticated remote attackers to execute arbitrary commands on Apache Storm Nimbus servers by sending specially crafted Thrift requests. It affects Apache Storm 1.x before 1.2.4 and 2.x before 2.2.1. Attackers can gain full control of vulnerable systems without any authentication.

💻 Affected Systems

Products:

Apache Storm

Versions: Apache Storm 1.x prior to 1.2.4, Apache Storm 2.x prior to 2.2.1

Operating Systems: All operating systems running Apache Storm

Default Config Vulnerable: ⚠️ Yes

Notes: Affects Nimbus server component. All default configurations are vulnerable as the flaw is in the service itself.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining root/administrator privileges, deploying ransomware, establishing persistent backdoors, and pivoting to internal networks.

🟠

Likely Case

Remote code execution leading to cryptocurrency mining, data exfiltration, or joining botnets, with potential lateral movement within the network.

🟢

If Mitigated

Limited impact if network segmentation prevents external access and proper authentication controls are in place, though internal threats remain.

🌐 Internet-Facing: HIGH - Directly exploitable without authentication from any internet-connected system.

🏢 Internal Only: HIGH - Even internally, any user or compromised system on the network can exploit this without credentials.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit code available on Packet Storm Security. Simple command injection via Thrift protocol.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apache Storm 1.2.4 or 2.2.1

Vendor Advisory: https://lists.apache.org/thread.html/r5fe881f6ca883908b7a0f005d35115af49f43beea7a8b0915e377859%40%3Cuser.storm.apache.org%3E

Restart Required: Yes

Instructions:

1. Download Apache Storm 1.2.4 or 2.2.1 from official Apache mirrors. 2. Stop all Storm services. 3. Backup configuration files. 4. Install the patched version. 5. Restore configurations. 6. Restart Storm services.

🔧 Temporary Workarounds

Network Segmentation

linux

Restrict access to Nimbus server port (default 6627) to only trusted management networks.

iptables -A INPUT -p tcp --dport 6627 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 6627 -j DROP

Authentication Proxy

all

Place Nimbus behind a reverse proxy with strong authentication requirements.

🧯 If You Can't Patch

Implement strict network access controls to limit Nimbus server exposure
Deploy intrusion detection systems to monitor for exploit attempts on port 6627

🔍 How to Verify

Check if Vulnerable:

Check Apache Storm version: storm version. If version is 1.x < 1.2.4 or 2.x < 2.2.1, system is vulnerable.

Check Version:

storm version

Verify Fix Applied:

After patching, verify version is 1.2.4 or higher (for 1.x) or 2.2.1 or higher (for 2.x). Test with storm version command.

📡 Detection & Monitoring

Log Indicators:

Unusual Thrift requests to getTopologyHistory endpoint
Suspicious command execution in Nimbus logs
Failed authentication attempts followed by successful Thrift requests

Network Indicators:

Unusual outbound connections from Nimbus server
Traffic to port 6627 from unexpected sources
Thrift protocol anomalies

SIEM Query:

source="storm-nimbus.log" AND "getTopologyHistory" AND ("Runtime.exec" OR "ProcessBuilder" OR suspicious_command_patterns)

📊 Metadata

CVE ID: CVE-2021-38294

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-74

Published: October 25, 2021

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/165019/Apache-Storm-Nimbus-2.2.0-Command-Execution.html Exploit,Third Party Advisory,VDB Entry
https://lists.apache.org/thread.html/r5fe881f6ca883908b7a0f005d35115af49f43beea7a8b0915e377859%40%3Cuser.storm.apache.org%3E Mailing List,Vendor Advisory
https://seclists.org/oss-sec/2021/q4/44 Mailing List,Third Party Advisory
http://packetstormsecurity.com/files/165019/Apache-Storm-Nimbus-2.2.0-Command-Execution.html Exploit,Third Party Advisory,VDB Entry
https://lists.apache.org/thread.html/r5fe881f6ca883908b7a0f005d35115af49f43beea7a8b0915e377859%40%3Cuser.storm.apache.org%3E Mailing List,Vendor Advisory
https://seclists.org/oss-sec/2021/q4/44 Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-38294, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Storm by Apache

Storm by Apache

Storm by Apache

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Network Segmentation

Authentication Proxy

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities