CRITICAL🇵🇱 Wersja polska

CVE-2025-59390

CVSS 9.8v3.1pub. 2025-11-26upd. 2025-12-04

Apache Druid’s Kerberos authenticator uses a weak fallback secret when the `druid.auth.authenticator.kerberos.cookieSignatureSecret` configuration is not explicitly set. In this case, the secret is generated using `ThreadLocalRandom`, which is not a crypto-graphically secure random number generator. This may allow an attacker to predict or brute force the secret used to sign authentication cookies, potentially enabling token forgery or authentication bypass. Additionally, each process generates its own fallback secret, resulting in inconsistent secrets across nodes. This causes authentication failures in distributed or multi-broker deployments, effectively leading to a incorrectly configured clusters. Users are advised to configure a strong `druid.auth.authenticator.kerberos.cookieSignatureSecret` This issue affects Apache Druid: through 34.0.0. Users are recommended to upgrade to version 35.0.0, which fixes the issue making it mandatory to set `druid.auth.authenticator.kerberos.cookieSignatureSecret` when using the Kerberos authenticator. Services will fail to come up if the secret is not set.

🤖 AI Analysis
How it works

When an administrator does not explicitly set the value of `druid.auth.authenticator.kerberos.cookieSignatureSecret`, Apache Druid generates a fallback secret using the `ThreadLocalRandom` class, which is not a cryptographically secure pseudorandom number generator (lacks CWE-338 secure entropy). An attacker can predict or brute force recover this secret and then forge signed authentication cookies. Additionally, each cluster node generates its own unique fallback secret, causing inconsistency between nodes and resulting in authentication failures in distributed and multi-broker environments.

Impact

An unauthenticated remote attacker can forge session cookies and bypass the Kerberos authentication mechanism, gaining unauthorized access to the Apache Druid cluster with full privileges. In distributed environments, improper configuration can also cause complete service unavailability.

Mitigation & patch

Update Apache Druid to version 35.0.0, which enforces mandatory configuration of the `druid.auth.authenticator.kerberos.cookieSignatureSecret` parameter — services will not start without its explicit configuration. Until updating, immediately set a strong, cryptographically random secret as the value of `druid.auth.authenticator.kerberos.cookieSignatureSecret` on all cluster nodes.

Who is affected

Apache Druid in all versions up to and including 34.0.0 when using the Kerberos authenticator without the explicitly configured `druid.auth.authenticator.kerberos.cookieSignatureSecret` parameter

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Apache Druid

    APP
    Apache
    < 35.0.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth Bypass
CWE
References

Related vulnerabilities

CVE-2026-23906CRITICAL9.8PL ✓ten sam produkt

Apache Druid – pominięcie uwierzytelnienia LDAP przez anonimowy bind

CVE-2021-26919HIGH8.8ten sam produkt

Apache Druid allows users to read data from other database systems using JDBC. This functionality is to allow ...

CVE-2021-25646HIGH8.8ten sam produkt

Apache Druid includes the ability to execute user-provided JavaScript code embedded in various types of reques...

CVE-2025-27888MEDIUM5.8ten sam produkt

Severity: medium (5.8) / important Server-Side Request Forgery (SSRF), Improper Neutralization of Input Durin...

CVE-2024-45384MEDIUM5.3ten sam produkt

Padding Oracle vulnerability in Apache Druid extension, druid-pac4j. This could allow an attacker to manipulat...