The Apache Storm community is pleased to announce that version 2.8.7 has been released and is available from the downloads page.
This release includes security fixes, new features, bug fixes, and library updates. We encourage users of previous versions to upgrade to this latest release.
Special thanks are due to all those who have contributed to Apache Storm -- whether through direct code contributions, documentation, bug reports, or helping other users on the mailing lists. Your efforts are much appreciated.
JIRA issues addressed in the 2.8.7 release of Storm. Documentation for this release is available at the Apache Storm project site.
Versions Affected: from 2.6.3 to 2.8.6.
Description: In production deployments where an administrator enables storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation (by default it is disabled) intending to affect only the Prometheus reporter, the undocumented global side effect creates an attack surface across every TLS-protected communication channel in the Storm daemon. The PrometheusPreparableReporter class implements an INSECURE_TRUST_MANAGER that accepts all SSL certificates without validation. When this setting is enabled, it calls SSLContext.setDefault(), which globally replaces the JVM's default SSL context, resulting in a JVM-wide TLS security downgrade.
Mitigation: 2.x users should upgrade to 2.8.7 if the Prometheus Metrics Reporter is used. Users who cannot upgrade immediately should ensure storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation is set to false (default) and configure a proper truststore.
Credit: This issue was discovered by K.
Versions Affected: before 2.8.7.
Description: When TLS transport is enabled in Apache Storm without requiring client certificate authentication, the TlsTransportPlugin assigns a fallback principal (CN=ANONYMOUS) if certificate verification fails, rather than rejecting the connection. This enables unauthenticated clients to establish a TLS connection and potentially bypass authorization if the authorizer does not explicitly deny access to CN=ANONYMOUS.
Mitigation: Users should upgrade to 2.8.7 in which TLS authentication failures are handled in a fail-closed manner. Users who cannot upgrade immediately should enable mandatory client certificate authentication (nimbus.thrift.tls.client.auth.required: true) and ensure authorization rules explicitly deny access to CN=ANONYMOUS.
Credit: This issue was discovered by K.
