A critical vulnerability exists in Apache Druid's Kerberos authenticator due to the use of a weak, predictable secret for signing authentication cookies when one is not explicitly configured. This flaw could allow an attacker to forge authentication tokens, bypass security controls, and gain unauthorized access to the Druid data platform. The successful exploitation of this vulnerability could lead to significant data exposure, manipulation, or service disruption.

The vulnerability stems from the use of a cryptographically weak random number generator (ThreadLocalRandom) to create a fallback cookie signing secret for the Kerberos authenticator. This occurs when the druid.auth.authenticator.kerberos.cookieSignatureSecret property is not manually set by an administrator. An attacker with knowledge of this weakness could potentially predict or brute-force the generated secret, allowing them to craft and sign their own authentication cookies. This would grant them the ability to impersonate legitimate users, bypass authentication mechanisms, and gain unauthorized access to the Druid cluster and its data.

This vulnerability is rated as critical severity with a CVSS score of 9.8, indicating a high potential for widespread and severe impact. Successful exploitation could grant an attacker full access to the Apache Druid cluster, which often stores sensitive business intelligence, financial, or user data. The potential consequences include unauthorized data exfiltration, data tampering, and denial-of-service against critical analytics functions. This poses a significant risk to data confidentiality, integrity, and availability, potentially leading to regulatory fines, reputational damage, and loss of customer trust.

Immediate Action: The primary remediation is to upgrade to Apache Druid version 35.0.0 or later, which makes it mandatory to set the druid.auth.authenticator.kerberos.cookieSignatureSecret. If an immediate upgrade is not possible, administrators must explicitly configure a strong, unique, and cryptographically secure secret for the druid.auth.authenticator.kerberos.cookieSignatureSecret property in their Druid configuration on all relevant nodes.

Proactive Monitoring: Monitor Druid authenticator logs for anomalous patterns, such as a high volume of failed authentication attempts from a single source followed by a successful login. Review access logs for any unusual or unauthorized queries or administrative actions. System administrators should also be alert to unexpected authentication failures across distributed clusters, as this is a symptom of the inconsistent fallback secret generation.

Compensating Controls: If patching or configuration changes cannot be immediately applied, implement the following controls:

• Restrict network access to the Druid cluster UI and API endpoints to trusted IP ranges using firewall rules or security groups.
• Place the Druid cluster behind a Web Application Firewall (WAF) with rules designed to detect and block token manipulation or brute-force attempts.
• Ensure comprehensive logging is enabled for all authentication and access events and that these logs are regularly reviewed by a security team.

Public Exploit Available: false

Given the critical CVSS score of 9.8, this vulnerability requires immediate attention. We strongly recommend all organizations using the Kerberos authenticator in Apache Druid to prioritize upgrading to version 35.0.0 or applying the specified configuration fix without delay. Although this vulnerability is not currently listed on the CISA KEV catalog, its severity and the potential for complete system compromise make it a high-priority target for remediation.