CVE-2025-59390— Apache Druid: Kerberos authenticaton chooses a cryptographically unsecure secret if not configured explicitly.

Apache Druid: Kerberos authenticaton chooses a cryptographically unsecure secret if not configured explicitly.

Apache Druid’s Kerberos authenticator uses a weak fallback secret when the `druid.auth.authenticator.kerberos.cookieSignatureSecret` configuration is not explicitly set. In this case, the secret is generated using `ThreadLocalRandom`, which is not a crypto-graphically secure random number generator. This may allow an attacker to predict or brute force the secret used to sign authentication cookies, potentially enabling token forgery or authentication bypass. Additionally, each process generates its own fallback secret, resulting in inconsistent secrets across nodes. This causes authentication failures in distributed or multi-broker deployments, effectively leading to a incorrectly configured clusters. Users are advised to configure a strong `druid.auth.authenticator.kerberos.cookieSignatureSecret` This issue affects Apache Druid: through 34.0.0. Users are recommended to upgrade to version 35.0.0, which fixes the issue making it mandatory to set `druid.auth.authenticator.kerberos.cookieSignatureSecret` when using the Kerberos authenticator. Services will fail to come up if the secret is not set.

N/A

使用具有密码学弱点缺陷的PRNG

Apache Druid 安全漏洞

Apache Druid是美国阿帕奇（Apache）基金会的一款使用Java语言编写的、面向列的开源分布式数据库。 Apache Druid 34.0.0及之前版本存在安全漏洞，该漏洞源于Kerberos认证器使用弱回退密钥，可能导致认证绕过。

N/A

N/A