Overview
This article discusses CVE-2025-59390, a security vulnerability affecting Apache Druid versions up to 34.0.0. This vulnerability exposes Druid clusters utilizing Kerberos authentication to a potential authentication bypass. The issue stems from the use of a weak, predictable fallback secret used to sign authentication cookies when the `druid.auth.authenticator.kerberos.cookieSignatureSecret` configuration is not explicitly set.
Technical Details
The core of the vulnerability lies within Druid’s Kerberos authenticator. When the `druid.auth.authenticator.kerberos.cookieSignatureSecret` configuration parameter isn’t explicitly defined, Druid resorts to a fallback secret. This fallback secret is generated using `ThreadLocalRandom`, a pseudo-random number generator that is not cryptographically secure. The predictable nature of `ThreadLocalRandom` makes it possible for an attacker to potentially predict or brute-force the secret used for cookie signing. This compromise enables malicious actors to forge authentication cookies and bypass authentication mechanisms.
Further exacerbating the issue, each Druid process generates its own unique fallback secret. This inconsistency leads to authentication failures in distributed or multi-broker deployments, as different nodes will use different secrets to validate the same cookie. This can effectively lead to an incorrectly configured cluster, even without malicious intent.
CVSS Analysis
Currently, a CVSS score is not available for CVE-2025-59390. However, due to the potential for authentication bypass, it’s reasonable to expect a high severity score to be assigned once a formal analysis is conducted. The impact is significant because successful exploitation could grant unauthorized access to sensitive data and functionalities within the Druid cluster.
Possible Impact
A successful exploit of CVE-2025-59390 could lead to several critical consequences:
- Authentication Bypass: Attackers could forge authentication cookies, gaining unauthorized access to Druid data and functionalities.
- Data Breach: Unauthorized access could lead to the extraction of sensitive data stored within Druid.
- System Compromise: Attackers could potentially manipulate or control the Druid cluster, disrupting operations or injecting malicious code.
Mitigation and Patch Steps
The recommended solution to address CVE-2025-59390 is to upgrade your Apache Druid installation to version 35.0.0 or later. Version 35.0.0 mandates the explicit configuration of `druid.auth.authenticator.kerberos.cookieSignatureSecret` when the Kerberos authenticator is in use. Services will now fail to start if this secret is not properly set, preventing the vulnerable fallback mechanism from being used.
Steps to Mitigate:
- Upgrade to Apache Druid 35.0.0 or later.
- Explicitly configure `druid.auth.authenticator.kerberos.cookieSignatureSecret`. Ensure the secret is strong and randomly generated using a cryptographically secure method.
- Restart your Druid cluster after applying the configuration changes.
- Monitor your Druid cluster for any unusual activity after the upgrade.
