Description
Improper Certificate Validation via Global SSL Context Downgrade in Apache Storm Prometheus Reporter


Versions Affected: from 2.6.3 to 2.8.6


Description: 

In production deployments where an administrator enables storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation (by default it is disabled) intending to affect only the Prometheus reporter, the undocumented global side effect creates an attack surface across every TLS-protected communication channel in the Storm daemon.


The PrometheusPreparableReporter class implements an INSECURE_TRUST_MANAGER that accepts all SSL certificates without validation, with empty checkClientTrusted and checkServerTrusted methods. Most critically, when the storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation configuration option is enabled (default = disabled) for HTTPS Prometheus PushGateway connections, the INSECURE_CONNECTION_FACTORY calls SSLContext.setDefault(sslContext), which globally replaces the JVM's default SSL context rather than applying the insecure context only to the Prometheus connection. This payload flows through storm.yaml configuration → PrometheusPreparableReporter.prepare() → INSECURE_CONNECTION_FACTORY → SSLContext.setDefault(), resulting in a JVM-wide TLS security downgrade. All subsequent HTTPS connections in the process - including ZooKeeper, Thrift, Netty, and UI connections - silently trust all certificates, including self-signed, expired, and attacker-generated ones, enabling man-in-the-middle interception of cluster state, topology submissions, tuple data, and administrative credentials.




Mitigation: 2.x users should upgrade to 2.8.7 if the Prometheus Metrics Reporter is used. Prometheus Metrics Reporter Users who cannot upgrade immediately should remove the storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation: true setting from their storm.yaml configuration and instead configure a proper truststore containing the PushGateway's certificate.
Published: 2026-04-27
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Apache Storm Prometheus Reporter contains a configuration option that, when enabled, replaces the JVM’s global SSL context with an insecure context that accepts any certificate. This causes every outbound TLS connection from the Storm daemon—such as ZooKeeper, Thrift, Netty, and the web UI—to trust all certificates, including self‑signed or attacker‑issued ones. The consequence is that an adversary can intercept, alter, or inject traffic across all secured channels, exposing cluster state, topology submission, and administrative credentials.

Affected Systems

Apache Software Foundation’s Apache Storm Prometheus Reporter, versions 2.6.3 through 2.8.6. Deployment of Storm clusters using these releases with the skip_tls_validation option set will be affected.

Risk and Exploitability

The vulnerability enables a broad man‑in‑the‑middle attack surface. The likely attack vector is the global downgrade of TLS verification that silently relaxes certificate validation for all HTTPS communications. CVSS score 4.8 indicates a moderate severity, while EPSS score < 1% suggests a very low exploitation probability; however, the absence of a secure context still represents a high potential for exploitation. The vulnerability is not listed in CISA KEV, but the impact—including the possibility of intercepting confidential topology and control traffic—demonstrates severe confidentiality and integrity risks.

Generated by OpenCVE AI on May 1, 2026 at 05:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Apache Storm 2.8.7 or later if the Prometheus Metrics Reporter is in use.
  • If upgrading is not immediately possible, remove the storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation: true setting from storm.yaml.
  • Configure a proper truststore that contains the Prometheus PushGateway’s certificate instead of relying on the insecure skip flag.

Generated by OpenCVE AI on May 1, 2026 at 05:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-82fm-wpc2-5pmp Apache Storm Prometheus Reporter vulnerable to Improper Certificate Validation via Global SSL Context Downgrade
History

Tue, 05 May 2026 18:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:storm_prometheus_reporter:*:*:*:*:*:*:*:*

Thu, 30 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 28 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache storm Prometheus Reporter
Vendors & Products Apache
Apache storm Prometheus Reporter

Mon, 27 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
References

Mon, 27 Apr 2026 13:30:00 +0000

Type Values Removed Values Added
Description Improper Certificate Validation via Global SSL Context Downgrade in Apache Storm Prometheus Reporter Versions Affected: from 2.6.3 to 2.8.6 Description:  In production deployments where an administrator enables storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation (by default it is disabled) intending to affect only the Prometheus reporter, the undocumented global side effect creates an attack surface across every TLS-protected communication channel in the Storm daemon. The PrometheusPreparableReporter class implements an INSECURE_TRUST_MANAGER that accepts all SSL certificates without validation, with empty checkClientTrusted and checkServerTrusted methods. Most critically, when the storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation configuration option is enabled (default = disabled) for HTTPS Prometheus PushGateway connections, the INSECURE_CONNECTION_FACTORY calls SSLContext.setDefault(sslContext), which globally replaces the JVM's default SSL context rather than applying the insecure context only to the Prometheus connection. This payload flows through storm.yaml configuration → PrometheusPreparableReporter.prepare() → INSECURE_CONNECTION_FACTORY → SSLContext.setDefault(), resulting in a JVM-wide TLS security downgrade. All subsequent HTTPS connections in the process - including ZooKeeper, Thrift, Netty, and UI connections - silently trust all certificates, including self-signed, expired, and attacker-generated ones, enabling man-in-the-middle interception of cluster state, topology submissions, tuple data, and administrative credentials. Mitigation: 2.x users should upgrade to 2.8.7 if the Prometheus Metrics Reporter is used. Prometheus Metrics Reporter Users who cannot upgrade immediately should remove the storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation: true setting from their storm.yaml configuration and instead configure a proper truststore containing the PushGateway's certificate.
Title Apache Storm Prometheus Reporter: Disabling TLS verification for Prometheus Reporter also disables it for all other connections
Weaknesses CWE-295
References

Subscriptions

Apache Storm Prometheus Reporter
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-04-30T15:21:01.170Z

Reserved: 2026-04-14T11:20:51.218Z

Link: CVE-2026-40557

cve-icon Vulnrichment

Updated: 2026-04-27T13:36:44.872Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-27T14:16:48.017

Modified: 2026-05-05T18:11:10.203

Link: CVE-2026-40557

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T05:45:10Z

Weaknesses