Apache Druid Kerberos Authenticator Weak Secret Vulnerability

A vulnerability exists in Apache Druid's Kerberos authenticator, where a weak fallback secret is used if the 'druid.auth.authenticator.kerberos.cookieSignatureSecret' configuration is not explicitly defined. The fallback secret is generated with 'ThreadLocalRandom', which lacks cryptographic security, potentially allowing attackers to predict or brute-force the secret used for signing authentication cookies. This could lead to token forgery or authentication bypass. Furthermore, each process creates its own fallback secret, causing inconsistencies across nodes. In distributed or multi-broker deployments, this can result in authentication failures, leading to incorrectly configured clusters.

Impact

Exploitation of this vulnerability could allow for token forgery or authentication bypass, particularly in distributed or multi-broker deployments, where it could cause authentication failures and misconfigured clusters.

Remediation

Users are advised to upgrade to Apache Druid version 35.0.0 or later, which requires the 'druid.auth.authenticator.kerberos.cookieSignatureSecret' to be explicitly set when using the Kerberos authenticator. Failure to set this secret will prevent the service from starting.