Apache Druid’s Kerberos authenticator uses a weak fallback secret when the `druid.auth.authenticator.kerberos.cookieSignatureSecret` configuration is not explicitly set. In this case, the secret is generated using `ThreadLocalRandom`, which is not a crypto-graphically secure random number generator. This may allow an attacker to predict or brute force the secret used to sign authentication cookies, potentially enabling token forgery or authentication bypass. Additionally, each process generates its own fallback secret, resulting in inconsistent secrets across nodes. This causes authentication failures in distributed or multi-broker deployments, effectively leading to a incorrectly configured clusters. Users are advised to configure a strong `druid.auth.authenticator.kerberos.cookieSignatureSecret` This issue affects Apache Druid: through 34.0.0. Users are recommended to upgrade to version 35.0.0, which fixes the issue making it mandatory to set `druid.auth.authenticator.kerberos.cookieSignatureSecret` when using the Kerberos authenticator. Services will fail to come up if the secret is not set.
When an administrator does not explicitly set the value of `druid.auth.authenticator.kerberos.cookieSignatureSecret`, Apache Druid generates a fallback secret using the `ThreadLocalRandom` class, which is not a cryptographically secure pseudorandom number generator (lacks CWE-338 secure entropy). An attacker can predict or brute force recover this secret and then forge signed authentication cookies. Additionally, each cluster node generates its own unique fallback secret, causing inconsistency between nodes and resulting in authentication failures in distributed and multi-broker environments.
An unauthenticated remote attacker can forge session cookies and bypass the Kerberos authentication mechanism, gaining unauthorized access to the Apache Druid cluster with full privileges. In distributed environments, improper configuration can also cause complete service unavailability.
Update Apache Druid to version 35.0.0, which enforces mandatory configuration of the `druid.auth.authenticator.kerberos.cookieSignatureSecret` parameter — services will not start without its explicit configuration. Until updating, immediately set a strong, cryptographically random secret as the value of `druid.auth.authenticator.kerberos.cookieSignatureSecret` on all cluster nodes.
Apache Druid in all versions up to and including 34.0.0 when using the Kerberos authenticator without the explicitly configured `druid.auth.authenticator.kerberos.cookieSignatureSecret` parameter
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HApache Druid
APPApache< 35.0.0
Related vulnerabilities
Apache Druid – pominięcie uwierzytelnienia LDAP przez anonimowy bind
Apache Druid allows users to read data from other database systems using JDBC. This functionality is to allow ...
Apache Druid includes the ability to execute user-provided JavaScript code embedded in various types of reques...
Severity: medium (5.8) / important Server-Side Request Forgery (SSRF), Improper Neutralization of Input Durin...
Padding Oracle vulnerability in Apache Druid extension, druid-pac4j. This could allow an attacker to manipulat...