Apache Druid, a high-performance real-time analytics database, includes a Kerberos authenticator component that relies on a secret to sign authentication cookies. In versions through 34.0.0, if the configuration parameter 'druid.auth.authenticator.kerberos.cookieSignatureSecret' is not set, the system falls back to generating a secret using Java's ThreadLocalRandom. ThreadLocalRandom is not a cryptographically secure pseudo-random number generator (PRNG), making the fallback secret predictable or brute-forceable by attackers. This vulnerability (CWE-338) enables attackers to forge authentication tokens, bypass authentication controls, and potentially gain unauthorized access. Furthermore, because each process generates its own fallback secret independently, multi-node or distributed Apache Druid clusters experience inconsistent secrets across nodes, leading to authentication failures and misconfigured clusters. The vulnerability is addressed in Apache Druid 35.0.0, which mandates explicit configuration of a strong 'cookieSignatureSecret' and prevents the service from starting without it, thereby eliminating the fallback to a weak PRNG. The CVSS 3.1 score of 9.8 indicates a critical severity with network attack vector, low attack complexity, no privileges or user interaction required, and impacts on confidentiality, integrity, and availability.

For European organizations using Apache Druid versions up to 34.0.0, this vulnerability poses a severe risk. Attackers can exploit the weak fallback secret to forge authentication cookies, bypassing Kerberos authentication and gaining unauthorized access to sensitive analytics data. This compromises confidentiality and integrity of data, and may allow attackers to manipulate or disrupt analytics operations, impacting availability. Distributed deployments common in large enterprises and service providers will face authentication failures due to inconsistent secrets, causing operational disruptions and potential downtime. Given Apache Druid's use in sectors like finance, telecommunications, and government analytics across Europe, exploitation could lead to data breaches, regulatory non-compliance (e.g., GDPR violations), and reputational damage. The ease of exploitation without authentication or user interaction increases the urgency for mitigation.

European organizations should immediately audit their Apache Druid deployments to identify versions prior to 35.0.0 and verify if 'druid.auth.authenticator.kerberos.cookieSignatureSecret' is configured. The primary mitigation is to upgrade to Apache Druid 35.0.0 or later, which enforces mandatory strong secret configuration and disables fallback to weak PRNG. If immediate upgrade is not feasible, administrators must explicitly set a strong, cryptographically secure secret for 'druid.auth.authenticator.kerberos.cookieSignatureSecret' using a high-entropy random value generated by a secure PRNG (e.g., SecureRandom). Additionally, organizations should monitor authentication logs for anomalies indicative of token forgery or authentication bypass attempts. Network segmentation and strict access controls around Apache Druid nodes can reduce exposure. Finally, integrating multi-factor authentication and continuous security monitoring can help detect and prevent exploitation attempts.