CVE-2025-59390
📋 TL;DR
Apache Druid's Kerberos authenticator uses a weak random fallback secret when cookieSignatureSecret isn't explicitly configured, allowing attackers to potentially forge authentication cookies and bypass authentication. This affects all Apache Druid deployments through version 34.0.0 using Kerberos authentication. The vulnerability also causes authentication failures in distributed deployments due to inconsistent secrets across nodes.
💻 Affected Systems
- Apache Druid
📦 What is this software?
Druid by Apache
⚠️ Risk & Real-World Impact
Worst Case
Complete authentication bypass allowing unauthorized access to Druid clusters, potentially leading to data exfiltration, data manipulation, or privilege escalation.
Likely Case
Authentication token forgery enabling unauthorized access to Druid services, potentially compromising sensitive data and cluster integrity.
If Mitigated
Authentication failures in distributed deployments causing service disruption, but no security compromise if proper secret is configured.
🎯 Exploit Status
Exploitation requires predicting or brute-forcing the weak random secret, which is feasible but requires understanding of the authentication mechanism.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 35.0.0
Vendor Advisory: https://lists.apache.org/thread/jwjltllnntgj1sb9wzsjmvwm9f8rlhg8
Restart Required: Yes
Instructions:
1. Upgrade Apache Druid to version 35.0.0 or later. 2. Configure druid.auth.authenticator.kerberos.cookieSignatureSecret with a strong secret. 3. Restart all Druid services.
🔧 Temporary Workarounds
Configure Strong Cookie Signature Secret
allManually set a strong cryptographic secret for cookie signing
Set druid.auth.authenticator.kerberos.cookieSignatureSecret to a strong random value (minimum 32 characters) in your Druid configuration
🧯 If You Can't Patch
- Immediately configure druid.auth.authenticator.kerberos.cookieSignatureSecret with a strong random secret in all Druid configurations
- Implement network segmentation and restrict access to Druid services only to authorized users and systems
🔍 How to Verify
Check if Vulnerable:
Check if Apache Druid version is 34.0.0 or earlier AND druid.auth.authenticator.kerberos.cookieSignatureSecret is not configured in your Druid configuration files.Check Version:
Check Druid version in logs or via API endpoint /statusVerify Fix Applied:
Verify Druid version is 35.0.0 or later AND druid.auth.authenticator.kerberos.cookieSignatureSecret is properly configured with a strong secret.📡 Detection & Monitoring
Log Indicators:
- Authentication failures in distributed deployments
- Unexpected successful authentications from unknown sources
- Errors related to cookie signature validation
Network Indicators:
- Unusual authentication requests to Druid Kerberos endpoints
- Traffic patterns suggesting brute force attempts
SIEM Query:
Search for authentication events from Druid services with unexpected success/failure patterns