{"schema_version": "1.6.1", "id": "CVE-2026-40557", "summary": "Disabling TLS verification for Prometheus Reporter also disables it for all other connections", "details": "Improper Certificate Validation via Global SSL Context Downgrade in Apache Storm Prometheus Reporter\n\n\nVersions Affected: from 2.6.3 to 2.8.6\n\n\nDescription: \n\nIn production deployments where an administrator enables storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation (by default it is disabled) intending to affect only the Prometheus reporter, the undocumented global side effect creates an attack surface across every TLS-protected communication channel in the Storm daemon.\n\n\nThe PrometheusPreparableReporter class implements an INSECURE_TRUST_MANAGER that accepts all SSL certificates without validation, with empty checkClientTrusted and checkServerTrusted methods. Most critically, when the storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation configuration option is enabled (default = disabled) for HTTPS Prometheus PushGateway connections, the INSECURE_CONNECTION_FACTORY calls SSLContext.setDefault(sslContext), which globally replaces the JVM's default SSL context rather than applying the insecure context only to the Prometheus connection. This payload flows through storm.yaml configuration → PrometheusPreparableReporter.prepare() → INSECURE_CONNECTION_FACTORY → SSLContext.setDefault(), resulting in a JVM-wide TLS security downgrade. All subsequent HTTPS connections in the process - including ZooKeeper, Thrift, Netty, and UI connections - silently trust all certificates, including self-signed, expired, and attacker-generated ones, enabling man-in-the-middle interception of cluster state, topology submissions, tuple data, and administrative credentials.\n\n\n\n\nMitigation: 2.x users should upgrade to 2.8.7 if the Prometheus Metrics Reporter is used. Prometheus Metrics Reporter Users who cannot upgrade immediately should remove the storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation: true setting from their storm.yaml configuration and instead configure a proper truststore containing the PushGateway's certificate.", "affected": [{"ranges": [{"type": "SEMVER", "events": [{"introduced": "2.6.3"}, {"fixed": "2.8.7"}]}]}], "references": [{"type": "WEB", "url": "https://lists.apache.org/thread/f5bv68z1y5xstz22psjk05p3wn86knjq"}]}