Apache Storm Prometheus plugin kills JVM-wide TLS validation
TL;DR - If you enabled storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation in any Storm daemon, you may have disabled TLS certificate validation for the entire JVM process, not just the Prometheus PushGateway. Upgrade to 2.8.7 or remove the setting now.
What happened
Apache Storm is a distributed stream-processing platform. Its Prometheus reporter (org.apache.storm:storm-metrics-prometheus) pushes daemon metrics to Prometheus, typically via a PushGateway.
CVE-2026-40557 is a classic JVM global-state footgun. When an admin enables storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation to relax certificate checks for the PushGateway, the reporter builds an INSECURE_TRUST_MANAGER with empty checkClientTrusted and checkServerTrusted implementations, then calls SSLContext.setDefault(sslContext).
That last call is the problem. SSLContext.setDefault() replaces the JVM-wide default SSL context, not just the context used for PushGateway connections. Any subsequent HTTPS or TLS client in the same daemon process can silently accept attacker-controlled certificates. The disclosure specifically names ZooKeeper, Thrift, Netty, and the Storm UI as collateral.
This is a recurring failure pattern in Java services: a narrow feature flag that says "ignore TLS for this one thing" ends up mutating shared global state and quietly widening the blast radius to everything else in the process.
Who is impacted
- Storm deployments using the Prometheus reporter artifact
org.apache.storm:storm-metrics-prometheus. - Affected versions:
2.6.3through2.8.6. - Highest risk: clusters with
storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation: trueset instorm.yaml.
| Item | Detail |
|---|---|
| Affected component | org.apache.storm:storm-metrics-prometheus |
| Affected versions | 2.6.3 to 2.8.6 |
| Trigger | storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation: true |
| Impact | Process-wide TLS certificate validation disabled via SSLContext.setDefault() |
What to do now
- Upgrade. The vendor is clear:
"2.x users should upgrade to 2.8.7 if the Prometheus Metrics Reporter is used."
- If you cannot upgrade immediately:
- Remove
storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation: truefromstorm.yaml. - Configure a proper truststore for the PushGateway certificate instead of skipping validation.
- Remove
- Treat this as a potential MITM exposure if the setting was ever enabled:
- Review how Storm daemons establish TLS connections in your environment.
- Identify where an on-path attacker could sit: east-west traffic, shared subnets, misconfigured overlays.
- Prioritise patching for clusters where Storm control-plane traffic (UI, Nimbus, Supervisor, ZooKeeper paths) crosses untrusted network segments.
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.