CVE-2026-35337 Overview
CVE-2026-35337 is an insecure deserialization vulnerability affecting Apache Storm, a distributed real-time computation system. When processing topology credentials submitted via the Nimbus Thrift API, Storm deserializes the base64-encoded TGT blob using ObjectInputStream.readObject() without any class filtering or validation. An authenticated user with topology submission rights could supply a crafted serialized object in the "TGT" credential field, leading to remote code execution in both the Nimbus and Worker JVMs.
Critical Impact
This vulnerability allows authenticated attackers with topology submission rights to achieve remote code execution on Apache Storm clusters, potentially compromising both the Nimbus master node and all Worker nodes processing topologies.
Affected Products
- Apache Storm versions before 2.8.6
- Apache Storm 2.x series (all versions prior to the patch)
- Any deployment utilizing Kerberos authentication with topology credential submission
Discovery Timeline
- April 12, 2026 - Apache Storm releases security patch in version 2.8.6
- April 13, 2026 - CVE-2026-35337 published to NVD
- April 15, 2026 - Last updated in NVD database
Technical Details for CVE-2026-35337
Vulnerability Analysis
This vulnerability falls under CWE-502 (Deserialization of Untrusted Data), a well-known class of security issues in Java applications. The flaw exists in how Apache Storm handles Kerberos ticket credentials during topology submission. When an authenticated user submits a topology through the Nimbus Thrift API, they can include credential information including Kerberos TGT (Ticket Granting Ticket) blobs. The ClientAuthUtils.deserializeKerberosTicket() method processes these TGT credentials by directly passing the base64-decoded data to Java's native ObjectInputStream.readObject() method without implementing any deserialization filters or class whitelisting.
This architectural oversight allows attackers to exploit Java's serialization mechanism by crafting malicious serialized objects that execute arbitrary code upon deserialization. Common gadget chains from libraries present in the Storm classpath (such as commons-collections, spring-beans, or other dependencies) can be leveraged to achieve remote code execution.
Root Cause
The root cause is the absence of deserialization controls in the ClientAuthUtils.deserializeKerberosTicket() method. Java deserialization is inherently dangerous when processing untrusted input because the readObject() method can trigger code execution through specially crafted serialized objects. The affected code path directly deserializes user-supplied credential data without implementing ObjectInputFilter restrictions to limit which classes can be instantiated during the deserialization process. This allows attackers to inject gadget chains that leverage existing classes in the application classpath to execute arbitrary code.
Attack Vector
The attack requires network access to the Nimbus Thrift API and authentication with topology submission privileges. An attacker would craft a malicious serialized Java object containing a gadget chain compatible with libraries present in Storm's classpath. This payload is then base64-encoded and submitted as the "TGT" credential field during topology submission. When the Nimbus server processes this credential, the deserialization triggers the gadget chain, resulting in code execution within the Nimbus JVM. If the malicious topology is distributed to Worker nodes, code execution can also occur on those systems during credential processing.
The attack does not require user interaction and can be executed remotely over the network. While authentication is required, any user with topology submission rights can exploit this vulnerability, making it particularly dangerous in multi-tenant Storm deployments.
Detection Methods for CVE-2026-35337
Indicators of Compromise
- Unusual or unexpected classes appearing in Java deserialization logs on Nimbus or Worker nodes
- Topology submissions containing abnormally large or suspicious base64-encoded TGT credential blobs
- Unexpected process spawning or network connections originating from Nimbus or Worker JVM processes
- Error messages related to deserialization failures with non-Kerberos class types in Storm logs
Detection Strategies
- Monitor Nimbus Thrift API access logs for topology submissions from unexpected sources or with unusual credential sizes
- Implement network segmentation monitoring to detect outbound connections from Storm cluster nodes to unexpected destinations
- Deploy Java agent-based monitoring to track ObjectInputStream.readObject() calls and flag suspicious class instantiation patterns
- Configure SIEM rules to correlate authentication events with subsequent anomalous process behavior on Storm infrastructure
Monitoring Recommendations
- Enable verbose logging for the ClientAuthUtils class and monitor for deserialization-related exceptions
- Implement file integrity monitoring on Storm installation directories to detect post-exploitation modifications
- Monitor for unusual CPU or memory consumption patterns on Nimbus and Worker nodes that could indicate cryptominer or other malware execution
- Review and audit all users with topology submission privileges regularly
How to Mitigate CVE-2026-35337
Immediate Actions Required
- Upgrade all Apache Storm deployments to version 2.8.6 or later immediately
- Audit current topology submission permissions and revoke access from any untrusted or unnecessary accounts
- Review recent topology submissions for suspicious credential content prior to patching
- Implement network segmentation to restrict Nimbus Thrift API access to only authorized systems
Patch Information
Apache has released version 2.8.6 which addresses this vulnerability by implementing proper deserialization controls. Users running Apache Storm 2.x versions should upgrade to 2.8.6 as soon as possible. The patch implements an ObjectInputFilter allow-list that restricts deserialized classes to javax.security.auth.kerberos.KerberosTicket and its known dependencies, preventing the instantiation of gadget chain classes during TGT credential processing.
For detailed patch information and upgrade instructions, see the Apache Storm 2.8.6 Release Announcement. Additional security discussion is available on the OpenWall OSS Security Mailing List.
Workarounds
- For users who cannot upgrade immediately, implement a monkey-patch to add an ObjectInputFilter allow-list to ClientAuthUtils.deserializeKerberosTicket() restricting deserialized classes to javax.security.auth.kerberos.KerberosTicket and its known dependencies
- Restrict network access to the Nimbus Thrift API using firewall rules to limit exposure
- Implement strict access controls to minimize the number of users with topology submission rights
- Consider temporarily disabling Kerberos-based authentication if not strictly required until patching is complete
The Apache Storm release notes for version 2.8.6 include a detailed guide on implementing the monkey-patch workaround for organizations unable to immediately upgrade.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
