The first vulnerability was found in one of the functions of Nimbus, which runs on top of a Thrift server. The second bug was found in Storm’s supervisor service, which runs on top of a Netty server.