GHSA-82fm-wpc2-5pmp

Improper Certificate Validation via Global SSL Context Downgrade in Apache Storm Prometheus Reporter

Versions Affected: from 2.6.3 to 2.8.6

Description: 

In production deployments where an administrator enables storm.daemon.metrics.reporter.plugin.prometheus.skiptlsvalidation (by default it is disabled) intending to affect only the Prometheus reporter, the undocumented global side effect creates an attack surface across every TLS-protected communication channel in the Storm daemon.

The PrometheusPreparableReporter class implements an INSECURETRUSTMANAGER that accepts all SSL certificates without validation, with empty checkClientTrusted and checkServerTrusted methods. Most critically, when the storm.daemon.metrics.reporter.plugin.prometheus.skiptlsvalidation configuration option is enabled (default = disabled) for HTTPS Prometheus PushGateway connections, the INSECURECONNECTIONFACTORY calls SSLContext.setDefault(sslContext), which globally replaces the JVM's default SSL context rather than applying the insecure context only to the Prometheus connection. This payload flows through storm.yaml configuration → PrometheusPreparableReporter.prepare() → INSECURECONNECTIONFACTORY → SSLContext.setDefault(), resulting in a JVM-wide TLS security downgrade. All subsequent HTTPS connections in the process - including ZooKeeper, Thrift, Netty, and UI connections - silently trust all certificates, including self-signed, expired, and attacker-generated ones, enabling man-in-the-middle interception of cluster state, topology submissions, tuple data, and administrative credentials.

Mitigation: 2.x users should upgrade to 2.8.7 if the Prometheus Metrics Reporter is used. Prometheus Metrics Reporter Users who cannot upgrade immediately should remove the storm.daemon.metrics.reporter.plugin.prometheus.skiptlsvalidation: true setting from their storm.yaml configuration and instead configure a proper truststore containing the PushGateway's certificate.