Apache Druid on 办公AI智能小助手 https://blog.qife122.com/tags/apache-druid/ Recent content in Apache Druid on 办公AI智能小助手 Hugo zh-cn qife Wed, 03 Dec 2025 23:31:42 +0800 Apache Druid Kerberos认证器因弱随机数生成器导致严重安全漏洞 https://blog.qife122.com/p/apache-druid-kerberos%E8%AE%A4%E8%AF%81%E5%99%A8%E5%9B%A0%E5%BC%B1%E9%9A%8F%E6%9C%BA%E6%95%B0%E7%94%9F%E6%88%90%E5%99%A8%E5%AF%BC%E8%87%B4%E4%B8%A5%E9%87%8D%E5%AE%89%E5%85%A8%E6%BC%8F%E6%B4%9E/ Wed, 03 Dec 2025 23:31:42 +0800 https://blog.qife122.com/p/apache-druid-kerberos%E8%AE%A4%E8%AF%81%E5%99%A8%E5%9B%A0%E5%BC%B1%E9%9A%8F%E6%9C%BA%E6%95%B0%E7%94%9F%E6%88%90%E5%99%A8%E5%AF%BC%E8%87%B4%E4%B8%A5%E9%87%8D%E5%AE%89%E5%85%A8%E6%BC%8F%E6%B4%9E/ <h3 id="漏洞详情">漏洞详情</h3> <p><strong>包管理器:</strong> Maven <strong>受影响包:</strong> org.apache.druid:druid <strong>受影响版本:</strong> &lt; 35.0.0 <strong>已修复版本:</strong> 35.0.0</p> <h3 id="描述">描述</h3> <p>Apache Druid 的 Kerberos 认证器在未显式设置 <code>druid.auth.authenticator.kerberos.cookieSignatureSecret</code> 配置项时,会使用一个弱回退密钥。在这种情况下,密钥是使用 <code>ThreadLocalRandom</code> 生成的,而它并非加密安全的随机数生成器。这可能允许攻击者预测或暴力破解用于签名身份验证Cookie的密钥,从而可能导致令牌伪造或身份验证绕过。</p> Apache Druid Kerberos认证安全漏洞分析:弱随机数生成导致认证绕过风险 https://blog.qife122.com/p/apache-druid-kerberos%E8%AE%A4%E8%AF%81%E5%AE%89%E5%85%A8%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E5%BC%B1%E9%9A%8F%E6%9C%BA%E6%95%B0%E7%94%9F%E6%88%90%E5%AF%BC%E8%87%B4%E8%AE%A4%E8%AF%81%E7%BB%95%E8%BF%87%E9%A3%8E%E9%99%A9/ Thu, 27 Nov 2025 17:06:51 +0800 https://blog.qife122.com/p/apache-druid-kerberos%E8%AE%A4%E8%AF%81%E5%AE%89%E5%85%A8%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E5%BC%B1%E9%9A%8F%E6%9C%BA%E6%95%B0%E7%94%9F%E6%88%90%E5%AF%BC%E8%87%B4%E8%AE%A4%E8%AF%81%E7%BB%95%E8%BF%87%E9%A3%8E%E9%99%A9/ <h2 id="概述">概述</h2> <p>Apache Druid的Kerberos认证器在<code>druid.auth.authenticator.kerberos.cookieSignatureSecret</code>配置未显式设置时,使用弱回退密钥。这种情况下,密钥使用<code>ThreadLocalRandom</code>生成,这不是密码学安全的随机数生成器。</p> Apache Druid Kerberos认证安全漏洞分析:弱随机数生成导致认证绕过风险 https://blog.qife122.com/p/apache-druid-kerberos%E8%AE%A4%E8%AF%81%E5%AE%89%E5%85%A8%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E5%BC%B1%E9%9A%8F%E6%9C%BA%E6%95%B0%E7%94%9F%E6%88%90%E5%AF%BC%E8%87%B4%E8%AE%A4%E8%AF%81%E7%BB%95%E8%BF%87%E9%A3%8E%E9%99%A9/ Wed, 26 Nov 2025 21:21:08 +0800 https://blog.qife122.com/p/apache-druid-kerberos%E8%AE%A4%E8%AF%81%E5%AE%89%E5%85%A8%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E5%BC%B1%E9%9A%8F%E6%9C%BA%E6%95%B0%E7%94%9F%E6%88%90%E5%AF%BC%E8%87%B4%E8%AE%A4%E8%AF%81%E7%BB%95%E8%BF%87%E9%A3%8E%E9%99%A9/ <h2 id="概述">概述</h2> <p>Apache Druid的Kerberos认证器在未显式配置<code>druid.auth.authenticator.kerberos.cookieSignatureSecret</code>时使用弱回退密钥。这种情况下,密钥使用<code>ThreadLocalRandom</code>生成,这不是加密安全的随机数生成器。</p>