Apache Druid Authentication Bypass Vulnerability via LDAP Anonymous Bind

An authentication bypass vulnerability has been identified in Apache Druid versions 0.17.0 prior to 36.0.0. This issue arises when the druid-basic-security extension is enabled and LDAP authentication is used, provided that the LDAP server allows anonymous binds. In such cases, an attacker can bypass authentication by submitting a valid username with an empty password, gaining unauthorized access to restricted Druid resources. The vulnerability is due to inadequate validation of LDAP authentication responses, where successful anonymous binds are incorrectly accepted as valid user authentication.

Impact

Exploitation of this vulnerability allows remote, unauthenticated access to the Apache Druid cluster. This unauthorized access can lead to exposure of sensitive data in Druid datasources, execution of queries with potential data manipulation, and access to administrative interfaces if the compromised account has elevated privileges. Overall, this vulnerability can fully undermine the confidentiality, integrity, and availability of the Druid deployment.

Remediation

Users are advised to disable anonymous bind on their LDAP server, which will prevent exploitation of this vulnerability without requiring an upgrade of Apache Druid. For those who can upgrade, Druid should be updated to version 36.0.0 or later, which includes fixes to properly reject anonymous LDAP bind attempts.