CVE-2026-40557: CWE-295 Improper Certificate Validation in Apache Software Foundation Apache Storm Prometheus Reporter
Improper Certificate Validation via Global SSL Context Downgrade in Apache Storm Prometheus Reporter Versions Affected: from 2.6.3 to 2.8.6 Description: In production deployments where an administrator enables storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation (by default it is disabled) intending to affect only the Prometheus reporter, the undocumented global side effect creates an attack surface across every TLS-protected communication channel in the Storm daemon. The PrometheusPreparableReporter class implements an INSECURE_TRUST_MANAGER that accepts all SSL certificates without validation, with empty checkClientTrusted and checkServerTrusted methods. Most critically, when the storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation configuration option is enabled (default = disabled) for HTTPS Prometheus PushGateway connections, the INSECURE_CONNECTION_FACTORY calls SSLContext.setDefault(sslContext), which globally replaces the JVM's default SSL context rather than applying the insecure context only to the Prometheus connection. This payload flows through storm.yaml configuration → PrometheusPreparableReporter.prepare() → INSECURE_CONNECTION_FACTORY → SSLContext.setDefault(), resulting in a JVM-wide TLS security downgrade. All subsequent HTTPS connections in the process - including ZooKeeper, Thrift, Netty, and UI connections - silently trust all certificates, including self-signed, expired, and attacker-generated ones, enabling man-in-the-middle interception of cluster state, topology submissions, tuple data, and administrative credentials. Mitigation: 2.x users should upgrade to 2.8.7 if the Prometheus Metrics Reporter is used. Prometheus Metrics Reporter Users who cannot upgrade immediately should remove the storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation: true setting from their storm.yaml configuration and instead configure a proper truststore containing the PushGateway's certificate.
AI Analysis
Technical Summary
Apache Storm Prometheus Reporter contains an improper certificate validation vulnerability (CWE-295) due to the use of an insecure trust manager when the configuration option storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation is enabled. This option, intended to disable TLS validation only for Prometheus PushGateway connections, globally replaces the JVM's default SSL context with one that accepts all certificates without validation. This global override affects all TLS-protected communications within the Storm daemon process, including critical components like ZooKeeper and UI connections. The vulnerability exists in versions 2.6.3 through 2.8.6 and allows man-in-the-middle interception of sensitive data and credentials. The issue is fixed in version 2.8.7, which removes this global SSL context override.
Potential Impact
When the skip_tls_validation option is enabled, all TLS connections in the Storm daemon trust any SSL certificate, including self-signed, expired, or attacker-generated certificates. This creates a significant risk of man-in-the-middle attacks that can intercept cluster state, topology submissions, tuple data, and administrative credentials. The vulnerability compromises the confidentiality and integrity of communications within the Storm cluster.
Mitigation Recommendations
Users of Apache Storm 2.x who use the Prometheus Metrics Reporter should upgrade to version 2.8.7, where this vulnerability is fixed. If immediate upgrade is not possible, users should remove the storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation: true setting from their storm.yaml configuration and instead configure a proper truststore containing the PushGateway's certificate to maintain secure TLS validation. Patch status is not explicitly confirmed in the advisory, but the vendor's recommendation to upgrade to 2.8.7 indicates an official fix is available.
CVE-2026-40557: CWE-295 Improper Certificate Validation in Apache Software Foundation Apache Storm Prometheus Reporter
Description
Improper Certificate Validation via Global SSL Context Downgrade in Apache Storm Prometheus Reporter Versions Affected: from 2.6.3 to 2.8.6 Description: In production deployments where an administrator enables storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation (by default it is disabled) intending to affect only the Prometheus reporter, the undocumented global side effect creates an attack surface across every TLS-protected communication channel in the Storm daemon. The PrometheusPreparableReporter class implements an INSECURE_TRUST_MANAGER that accepts all SSL certificates without validation, with empty checkClientTrusted and checkServerTrusted methods. Most critically, when the storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation configuration option is enabled (default = disabled) for HTTPS Prometheus PushGateway connections, the INSECURE_CONNECTION_FACTORY calls SSLContext.setDefault(sslContext), which globally replaces the JVM's default SSL context rather than applying the insecure context only to the Prometheus connection. This payload flows through storm.yaml configuration → PrometheusPreparableReporter.prepare() → INSECURE_CONNECTION_FACTORY → SSLContext.setDefault(), resulting in a JVM-wide TLS security downgrade. All subsequent HTTPS connections in the process - including ZooKeeper, Thrift, Netty, and UI connections - silently trust all certificates, including self-signed, expired, and attacker-generated ones, enabling man-in-the-middle interception of cluster state, topology submissions, tuple data, and administrative credentials. Mitigation: 2.x users should upgrade to 2.8.7 if the Prometheus Metrics Reporter is used. Prometheus Metrics Reporter Users who cannot upgrade immediately should remove the storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation: true setting from their storm.yaml configuration and instead configure a proper truststore containing the PushGateway's certificate.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Apache Storm Prometheus Reporter contains an improper certificate validation vulnerability (CWE-295) due to the use of an insecure trust manager when the configuration option storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation is enabled. This option, intended to disable TLS validation only for Prometheus PushGateway connections, globally replaces the JVM's default SSL context with one that accepts all certificates without validation. This global override affects all TLS-protected communications within the Storm daemon process, including critical components like ZooKeeper and UI connections. The vulnerability exists in versions 2.6.3 through 2.8.6 and allows man-in-the-middle interception of sensitive data and credentials. The issue is fixed in version 2.8.7, which removes this global SSL context override.
Potential Impact
When the skip_tls_validation option is enabled, all TLS connections in the Storm daemon trust any SSL certificate, including self-signed, expired, or attacker-generated certificates. This creates a significant risk of man-in-the-middle attacks that can intercept cluster state, topology submissions, tuple data, and administrative credentials. The vulnerability compromises the confidentiality and integrity of communications within the Storm cluster.
Mitigation Recommendations
Users of Apache Storm 2.x who use the Prometheus Metrics Reporter should upgrade to version 2.8.7, where this vulnerability is fixed. If immediate upgrade is not possible, users should remove the storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation: true setting from their storm.yaml configuration and instead configure a proper truststore containing the PushGateway's certificate to maintain secure TLS validation. Patch status is not explicitly confirmed in the advisory, but the vendor's recommendation to upgrade to 2.8.7 indicates an official fix is available.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- apache
- Date Reserved
- 2026-04-14T11:20:51.218Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69ef64deba26a39fba2863c8
Added to database: 4/27/2026, 1:30:06 PM
Last enriched: 4/27/2026, 1:45:52 PM
Last updated: 4/27/2026, 3:37:28 PM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.