Apache Storm Client Improper TLS Authentication Handling Leading to Anonymous Principal Assignment

A vulnerability exists in Apache Storm Client versions prior to 2.8.7, where improper handling of TLS client authentication failures allows for the assignment of an anonymous principal identity. When TLS transport is enabled without mandatory client certificate authentication, the TlsTransportPlugin assigns a fallback principal (CN=ANONYMOUS) if no client certificate is presented or if verification fails. This fail-open behavior enables unauthenticated clients to establish a TLS connection and receive a valid principal identity. If the configured authorizer does not explicitly deny access to CN=ANONYMOUS, this could result in unauthorized access to Storm services. The issue is only logged at the debug level, which reduces visibility in production environments.

Impact

The vulnerability could lead to unauthorized access to Storm services by allowing unauthenticated clients to be assigned a principal identity that bypasses authorization, particularly in permissive or misconfigured environments.

Remediation

Users should upgrade to Apache Storm Client version 2.8.7 or later, where TLS authentication failures are handled correctly. For users unable to upgrade immediately, it is recommended to enable mandatory client certificate authentication, ensure authorization rules explicitly deny access to CN=ANONYMOUS, and review all ACL configurations for implicit default-allow behavior.