Release Notes for Apache Storm 2.8.7

Issues addressed in 2.8.7.

Security Fixes

CVE-2026-40557 - Improper Certificate Validation via Global SSL Context Downgrade in Apache Storm Prometheus Reporter

Versions Affected: from 2.6.3 to 2.8.6.

Description: In production deployments where an administrator enables storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation (by default it is disabled) intending to affect only the Prometheus reporter, the undocumented global side effect creates an attack surface across every TLS-protected communication channel in the Storm daemon. The PrometheusPreparableReporter class implements an INSECURE_TRUST_MANAGER that accepts all SSL certificates without validation. When this setting is enabled, it calls SSLContext.setDefault(), which globally replaces the JVM's default SSL context, resulting in a JVM-wide TLS security downgrade.

Mitigation: 2.x users should upgrade to 2.8.7 if the Prometheus Metrics Reporter is used. Users who cannot upgrade immediately should ensure storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation is set to false (default) and configure a proper truststore.

Credit: This issue was discovered by K.

CVE-2026-41081 - Improper Handling of TLS Client Authentication Failure Leading to Anonymous Principal Assignment

Versions Affected: before 2.8.7.

Description: When TLS transport is enabled in Apache Storm without requiring client certificate authentication, the TlsTransportPlugin assigns a fallback principal (CN=ANONYMOUS) if certificate verification fails, rather than rejecting the connection. This enables unauthenticated clients to establish a TLS connection and potentially bypass authorization if the authorizer does not explicitly deny access to CN=ANONYMOUS.

Mitigation: Users should upgrade to 2.8.7 in which TLS authentication failures are handled in a fail-closed manner. Users who cannot upgrade immediately should enable mandatory client certificate authentication (nimbus.thrift.tls.client.auth.required: true) and ensure authorization rules explicitly deny access to CN=ANONYMOUS.

Credit: This issue was discovered by K.

Enhancements

• [#8533] - flux: fix 'recieveed' -> 'received' in LogInfoBolt Javadoc
• [#8532] - storm-client: fix 'accross' -> 'across' in Stream.java Javadoc
• [#8531] - storm-core: fix 'seperate' -> 'separate' in configuration.h comment
• [#8530] - docs: fix 'occured' -> 'occurred' in LocallyCachedBlob Javadoc
• [#8529] - docs: fix 'recieved' -> 'received' typo in IAutoCredentials Javadoc

Dependency upgrades

• [#8526] - Bump com.google.guava:guava from 33.5.0-jre to 33.6.0-jre
• [#8525] - Bump org.apache.commons:commons-configuration2 from 2.13.0 to 2.14.0
• [#8524] - Bump bouncycastle.version from 1.83 to 1.84
• [#8523] - Bump org.rocksdb:rocksdbjni from 10.10.1 to 10.10.1.1
• [#8522] - Bump org.jgrapht:jgrapht-core from 0.9.0 to 1.5.3
• [#8520] - Bump org.apache.hbase:hbase-client from 2.6.4-hadoop3 to 2.6.5-hadoop3
• [#8519] - Bump follow-redirects from 1.15.11 to 1.16.0 in /storm-webapp
• [#8511] - Bump axios from 1.13.6 to 1.15.0 in /storm-webapp
• [#8508] - Bump org.apache.activemq:activemq-client from 6.2.3 to 6.2.4
• [#8507] - Bump org.apache.activemq:activemq-broker from 6.2.3 to 6.2.4
• [#8506] - Bump org.apache.activemq:activemq-all from 6.2.3 to 6.2.4
• [#8505] - Bump org.apache.activemq:activemq-mqtt from 6.2.3 to 6.2.4

Bug fixing

• [#8518] - Cache busting is broken - ${packageTimestamp} is never substituted in HTML resources
• [#8516] - Hardening: clean up TlsTransportPlugin and surface unverified peers
• [#8515] - Profiling/debugging REST endpoints should use POST instead of GET