Apache Storm patches unsafe deserialization RCE in storm-client
TL;DR — Apache Storm’s storm-client can deserialize attacker-controlled Kerberos TGT credentials via the Nimbus API, enabling authenticated RCE in Nimbus and Worker JVMs.
What happened
Apache Storm is a distributed stream-processing system; operators submit “topologies” to a central coordinator (Nimbus) which then schedules work across the cluster.
In CVE-2026-35337, Storm’s client-side credential handling for Kerberos TGTs can feed a base64-encoded blob into ObjectInputStream.readObject() without class filtering or validation when processing topology credentials submitted via the Nimbus Thrift API. The advisory states that an authenticated user with topology submission rights can provide a crafted serialized object in the "TGT" credential field, leading to remote code execution in both the Nimbus and Worker JVMs.
Why this matters: Java deserialization in “control plane” APIs (like topology submission) tends to be a high-leverage cluster compromise path—especially in shared data platforms where many users can submit jobs.
Who is impacted
- Deployments using Apache Storm Client
org.apache.storm:storm-clientbefore2.8.6. - Clusters where users (including service accounts) have topology submission rights and can submit topology credentials via the Nimbus Thrift API.
- Environments where code execution as the Nimbus/Worker processes is a meaningful privilege boundary (e.g., access to internal networks, secrets, data stores).
| Component | Affected versions (per advisory) | Patched version (per advisory) |
|---|---|---|
org.apache.storm:storm-client | before 2.8.6 | 2.8.6 |
What to do now
- Follow vendor remediation guidance and apply the patched release referenced in the advisory.
"2.x users should upgrade to 2.8.6."
- If you cannot upgrade, apply the advisory’s workaround: monkey-patch an
ObjectInputFilterallow-list intoClientAuthUtils.deserializeKerberosTicket()and restrict allowed classes tojavax.security.auth.kerberos.KerberosTicketand known dependencies. - Inventory where Storm topology submission is exposed (internal portals, CI-driven job deployers, multi-tenant pipelines) and re-check who has topology submission rights; treat this permission as code-execution-adjacent.
- If compromise is suspected, review Nimbus and Worker logs around topology submission and credential handling, and rotate any credentials accessible to the Storm processes.
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.