CVE-2024-45384
📋 TL;DR
A padding oracle vulnerability in Apache Druid's optional druid-pac4j extension could allow attackers to manipulate session cookies. This affects Druid installations using the druid-pac4j extension in versions 0.18.0 through 30.0.0. The extension is disabled by default, so only systems explicitly enabling it are vulnerable.
💻 Affected Systems
- Apache Druid
📦 What is this software?
Druid by Apache
⚠️ Risk & Real-World Impact
Worst Case
Session hijacking or privilege escalation if attackers successfully manipulate pac4j session cookies to impersonate legitimate users.
Likely Case
Limited impact due to the optional nature of the extension and lack of known meaningful exploitation methods; potential for session manipulation in specific configurations.
If Mitigated
Minimal to no impact if the extension is disabled or proper security controls like strong cookie passphrases are implemented.
🎯 Exploit Status
No known meaningful exploitation methods exist currently, but padding oracle vulnerabilities can potentially be leveraged for session manipulation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 30.0.1 or higher
Vendor Advisory: https://lists.apache.org/thread/gr94fnp574plb50lsp8jw4smvgv1lbz1
Restart Required: Yes
Instructions:
1. Upgrade Apache Druid to version 30.0.1 or higher. 2. Restart Druid services. 3. Verify the druid-pac4j extension is properly configured with a strong druid.auth.pac4j.cookiePassphrase.
🔧 Temporary Workarounds
Disable druid-pac4j extension
allIf not using the druid-pac4j extension, ensure it remains disabled in configuration.
Verify druid.extensions.loadList does not include 'druid-pac4j' in common.runtime.properties
Set strong cookie passphrase
allConfigure a strong, random passphrase for cookie encryption as an additional security measure.
Set druid.auth.pac4j.cookiePassphrase to a strong random value in common.runtime.properties
🧯 If You Can't Patch
- Disable the druid-pac4j extension if not required for functionality
- Implement network segmentation and restrict access to Druid instances
🔍 How to Verify
Check if Vulnerable:
Check if druid-pac4j extension is enabled in common.runtime.properties and verify Druid version is between 0.18.0 and 30.0.0 inclusive.Check Version:
Check Druid version via API endpoint or configuration files; typically found in logs or via /status endpoint.Verify Fix Applied:
Confirm Druid version is 30.0.1 or higher and verify the druid-pac4j extension configuration includes a strong cookie passphrase.📡 Detection & Monitoring
Log Indicators:
- Unusual session cookie manipulation attempts, authentication errors related to pac4j
Network Indicators:
- Repeated requests to Druid endpoints with manipulated cookie values
SIEM Query:
Example: source="druid" AND (event_type="authentication_failure" OR cookie_manipulation_detected)