Richard Zowalla

**Name of the Vulnerable Software and Affected Versions** Apache Storm versions prior to 2.8.7 **Description** When TLS transport is enabled without requiring client certificate authentication, the `TlsTransportPlugin` assigns a fallback principal (CN=ANONYMOUS) if no client certificate is presented or if verification fails. This occurs because the `SSLPeerUnverifiedException` is caught and suppressed instead of rejecting the connection. This fail-open behavior allows unauthenticated clients to establish a TLS connection and receive a valid principal identity. If the configured authorizer, such as `SimpleACLAuthorizer`, does not explicitly deny access to CN=ANONYMOUS, it may lead to unauthorized access to services. This condition is only logged at the debug level, which limits visibility in production environments. **Recommendations** Update to version 2.8.7. Enable mandatory client certificate authentication by setting `nimbus.thrift.tls.client.auth.required` to `true`. Ensure authorization rules explicitly deny access to CN=ANONYMOUS. Review all ACL configurations for implicit default-allow behavior.