Skip to content

Apache Storm 2.8.7

Latest
Latest

Choose a tag to compare

View all tags
@reiabreu reiabreu released this 19 Apr 17:26
· 56 commits to master since this release
v2.8.7
db9cce5

Apache Storm 2.8.7 has been released. This release includes critical security fixes, library updates, and documentation improvements. The community strongly encourages all users of previous versions to upgrade to this release.

⚠️ Security Fixes

  • CVE-2026-40557: JVM-wide TLS Security Downgrade in Prometheus Reporter
    • Versions Affected: 2.6.3 to 2.8.6.
    • Technical Description: Enabling the skip_tls_validation configuration in the Prometheus Reporter caused an improper certificate validation that replaced the default SSL context. This resulted in a JVM-wide TLS security downgrade, affecting all components within the same process.
    • Fix: The reporter now uses a scoped SSL context for validation bypass, ensuring the default JVM SSL context remains secure.
  • CVE-2026-41081: Improper Handling of TLS Client Authentication Failures
    • Versions Affected: All versions before 2.8.7.
    • Technical Description: When TLS client authentication was enabled, failed authentication attempts were incorrectly assigned a fallback "ANONYMOUS" principal. This allowed unauthorized users to potentially bypass authorization checks that relied on the presence of a principal.
    • Fix: Connections are now strictly rejected if TLS client authentication fails or is missing when required.

🐛 Bug Fixes

  • [#8518] - Cache busting is broken - ${packageTimestamp} is never substituted in HTML resources.
  • [#8516] - Hardening: clean up TlsTransportPlugin and surface unverified peers.
  • [#8515] - Profiling/debugging REST endpoints should use POST instead of GET.
  • [#8533] - flux: fix 'recieveed' -> 'received' in LogInfoBolt Javadoc.
  • [#8532] - storm-client: fix 'accross' -> 'across' in Stream.java Javadoc.
  • [#8531] - storm-core: fix 'seperate' -> 'separate' in configuration.h comment.
  • [#8530] - docs: fix 'occured' -> 'occurred' in LocallyCachedBlob Javadoc.
  • [#8529] - docs: fix 'recieved' -> 'received' in IAutoCredentials Javadoc.

📦 Dependency Upgrades

Dependency From To PR
com.google.guava:guava 33.5.0-jre 33.6.0-jre [#8526]
org.apache.commons:commons-configuration2 2.13.0 2.14.0 [#8525]
org.bouncycastle (bouncycastle.version) 1.83 1.84 [#8524]
org.rocksdb:rocksdbjni 10.10.1 10.10.1.1 [#8523]
org.jgrapht:jgrapht-core 0.9.0 1.5.3 [#8522]
org.apache.hbase:hbase-client 2.6.4-hadoop3 2.6.5-hadoop3 [#8520]
follow-redirects (storm-webapp) 1.15.11 1.16.0 [#8519]
axios (storm-webapp) 1.13.6 1.15.0 [#8511]
org.apache.activemq:activemq-client 6.2.3 6.2.4 [#8508]
org.apache.activemq:activemq-broker 6.2.3 6.2.4 [#8507]
org.apache.activemq:activemq-all 6.2.3 6.2.4 [#8506]
org.apache.activemq:activemq-mqtt 6.2.3 6.2.4 [#8505]

📝 Contributors

Thank you to everyone who contributed to this release.

Assets 2
Loading