Description
Improper Handling of TLS Client Authentication Failure Leading to Anonymous Principal Assignment in Apache Storm

Versions Affected: up to 2.8.7

Description: When TLS transport is enabled in Apache Storm without requiring client certificate authentication (the default configuration), the TlsTransportPlugin assigns a fallback principal (CN=ANONYMOUS) if no client certificate is presented or if certificate verification fails. The underlying SSLPeerUnverifiedException is caught and suppressed rather than rejecting the connection.

This fail-open behavior means an unauthenticated client can establish a TLS connection and receive a valid principal identity. If the configured authorizer (e.g., SimpleACLAuthorizer) does not explicitly deny access to CN=ANONYMOUS, this may result in unauthorized access to Storm services. The condition is logged at debug level only, reducing visibility in production.

Impact: Unauthenticated clients may be assigned a principal identity, potentially bypassing authorization in permissive or misconfigured environments.

Mitigation: Users should upgrade to 2.8.7 in which TLS authentication failures are handled in a fail-closed manner.

Users who cannot upgrade immediately should:
- Enable mandatory client certificate authentication (nimbus.thrift.tls.client.auth.required: true)
- Ensure authorization rules explicitly deny access to CN=ANONYMOUS
- Review all ACL configurations for implicit default-allow behavior
Published: 2026-04-27
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: Unauthorized Access via Fallback Principal
Action: Immediate Patch
AI Analysis

Impact

The vulnerability involves improper handling of TLS client authentication failure in Apache Storm's TlsTransportPlugin. When TLS transport is enabled without requiring client certificates, a missing or failed verification causes the plugin to capture and ignore SSLPeerUnverifiedException, then assigns the fallback principal CN=ANONYMOUS. This fail‑open behavior allows an unauthenticated client to connect over TLS and receive a valid principal identity. If the authorizer, such as SimpleACLAuthorizer, does not deny this principal, the client may gain unauthorized access to Storm services. This flaw is a form of authentication bypass (CWE-287).

Affected Systems

The affected product is Apache Storm Client from the Apache Software Foundation. Versions up to and including 2.8.7 are vulnerable. The failure occurs when TLS transport is enabled but client authentication is not enforced.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity. The EPSS score is not available, so exploitation likelihood cannot be determined, and the vulnerability is not listed in the CISA KEV catalog. Attackers can exploit this flaw by establishing a TLS connection to any Storm cluster whose configuration does not require client certificates or whose authorizer does not explicitly deny the CN=ANONYMOUS principal. Because the exploitation requires no special privileges or advanced payloads, the threat is accessible to any network actor who can reach the Storm service.

Generated by OpenCVE AI on April 28, 2026 at 04:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Storm to version 2.8.7, where TLS failures are handled fail‑closed.
  • If an upgrade cannot be performed immediately, enable mandatory client certificate authentication by setting nimbus.thrift.tls.client.auth.required to true in the Storm configuration.
  • Configure ACLs to explicitly deny the CN=ANONYMOUS principal or review existing ACLs for implicit default‑allow settings to prevent unintended access.

Generated by OpenCVE AI on April 28, 2026 at 04:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache storm
Vendors & Products Apache
Apache storm

Mon, 27 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 27 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
References

Mon, 27 Apr 2026 13:30:00 +0000

Type Values Removed Values Added
Description Improper Handling of TLS Client Authentication Failure Leading to Anonymous Principal Assignment in Apache Storm Versions Affected: up to 2.8.7 Description: When TLS transport is enabled in Apache Storm without requiring client certificate authentication (the default configuration), the TlsTransportPlugin assigns a fallback principal (CN=ANONYMOUS) if no client certificate is presented or if certificate verification fails. The underlying SSLPeerUnverifiedException is caught and suppressed rather than rejecting the connection. This fail-open behavior means an unauthenticated client can establish a TLS connection and receive a valid principal identity. If the configured authorizer (e.g., SimpleACLAuthorizer) does not explicitly deny access to CN=ANONYMOUS, this may result in unauthorized access to Storm services. The condition is logged at debug level only, reducing visibility in production. Impact: Unauthenticated clients may be assigned a principal identity, potentially bypassing authorization in permissive or misconfigured environments. Mitigation: Users should upgrade to 2.8.7 in which TLS authentication failures are handled in a fail-closed manner. Users who cannot upgrade immediately should: - Enable mandatory client certificate authentication (nimbus.thrift.tls.client.auth.required: true) - Ensure authorization rules explicitly deny access to CN=ANONYMOUS - Review all ACL configurations for implicit default-allow behavior
Title Apache Storm Client: Anonymous principal assigned on TLS client certificate verification failure
Weaknesses CWE-287
References

Subscriptions

Apache Storm
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-04-27T14:43:31.605Z

Reserved: 2026-04-16T17:22:43.617Z

Link: CVE-2026-41081

cve-icon Vulnrichment

Updated: 2026-04-27T13:36:46.761Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-27T14:16:48.167

Modified: 2026-04-27T18:57:20.293

Link: CVE-2026-41081

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T09:17:09Z

Weaknesses