Apache Storm Prometheus Reporter Global SSL Context Downgrade Vulnerability

A vulnerability exists in Apache Storm versions 2.6.3 prior to 2.8.7, specifically within the Prometheus Metrics Reporter. When the 'storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation' option is enabled, it inadvertently creates a global security flaw by replacing the default SSL context for the entire Java Virtual Machine (JVM). This change allows all TLS connections, including those to ZooKeeper, Thrift, Netty, and the user interface, to accept any SSL certificate without validation. As a result, an attacker could intercept and manipulate sensitive data such as cluster state, topology submissions, tuple information, and administrative credentials.

Impact

Exploitation of this vulnerability leads to a global downgrade of TLS security in the JVM, allowing for man-in-the-middle attacks on all subsequent HTTPS connections. This could result in unauthorized interception of sensitive data and credentials within the Apache Storm environment.

Remediation

Users of Apache Storm 2.x who utilize the Prometheus Metrics Reporter should upgrade to version 2.8.7. Those unable to upgrade immediately should remove the 'storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation: true' setting from their 'storm.yaml' configuration and instead configure a proper truststore containing the PushGateway's certificate.