SCA: security update for org.apache.storm:storm-metrics-prometheus (GHSA-82fm-wpc2-5pmp)

medium Tenable Cloud Security Plugin ID 441259

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Improper Certificate Validation via Global SSL Context Downgrade in Apache Storm Prometheus Reporter
Versions Affected: from 2.6.3 to 2.8.6 Description: In production deployments where an administrator
enables storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation (by default it is disabled)
intending to affect only the Prometheus reporter, the undocumented global side effect creates an attack
surface across every TLS-protected communication channel in the Storm daemon. The
PrometheusPreparableReporter class implements an INSECURE_TRUST_MANAGER that accepts all SSL certificates
without validation, with empty checkClientTrusted and checkServerTrusted methods. Most critically, when
the storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation configuration option is enabled
(default = disabled) for HTTPS Prometheus PushGateway connections, the INSECURE_CONNECTION_FACTORY calls
SSLContext.setDefault(sslContext), which globally replaces the JVM's default SSL context rather than
applying the insecure context only to the Prometheus connection. This payload flows through storm.yaml
configuration → PrometheusPreparableReporter.prepare() → INSECURE_CONNECTION_FACTORY →
SSLContext.setDefault(), resulting in a JVM-wide TLS security downgrade. All subsequent HTTPS connections
in the process - including ZooKeeper, Thrift, Netty, and UI connections - silently trust all certificates,
including self-signed, expired, and attacker-generated ones, enabling man-in-the-middle interception of
cluster state, topology submissions, tuple data, and administrative credentials. Mitigation: 2.x users
should upgrade to 2.8.7 if the Prometheus Metrics Reporter is used. Prometheus Metrics Reporter Users who
cannot upgrade immediately should remove the
storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation: true setting from their storm.yaml
configuration and instead configure a proper truststore containing the PushGateway's certificate.
(CVE-2026-40557)

Solution

Update the org.apache.storm:storm-metrics-prometheus library and its related packages to version 2.8.7 or later.

See Also

https://github.com/advisories/GHSA-82fm-wpc2-5pmp

Plugin Details

Severity: Medium

ID: 441259

Version: Revision 1.6

Type: Local

Family: SCA Checks

Published: 5/6/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 2.1

Percentile: 7.71

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 4

Temporal Score: 3

Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2026-40557

CVSS v3

Risk Factor: Medium

Base Score: 4.8

Temporal Score: 4.2

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 4/27/2026

Vulnerability Publication Date: 4/27/2026

Reference Information

CVE: CVE-2026-40557

cwe: CWE-295