Clickjacking in the web console

Vulnerability

CVE-2022-28889 is a missing anti-clickjacking defense in Apache Druid versions 0.22.1 and earlier. The server did not set the X-Frame-Options or Content-Security-Policy headers, leaving the Web Console and other UI components vulnerable to clickjacking attacks [1][2]. This means an attacker could trick a user into interacting with the Druid Web Console through an invisible overlay on a malicious page.

Exploitation

The attack requires no authentication beyond the attacker convincing a Druid user to visit a crafted web page while logged into the Druid console. The lack of frame-busting headers allows the malicious site to load Druid's UI in an `` and overlay transparent elements to capture clicks [1][2]. No network-level access to the Druid server is needed; the exploit works through browser behavior.

Impact

Successful clickjacking could enable an attacker to force actions such as modifying queries, altering datasource configurations, or triggering ingestion tasks on behalf of the victim. The impact is limited to actions permitted by the victim's session privileges, but could lead to data exfiltration or cluster disruption if the victim has administrative rights [2].

Mitigation

Apache fixed the issue in Druid 0.23.0 by adding a Content-Security-Policy: frame-ancestors 'none' header and an explicit X-Frame-Options: DENY header to all responses [1][2]. Users should upgrade to Druid 0.23.0 or later. No workarounds are documented, but administrators can mitigate by configuring a reverse proxy to inject the missing headers if an upgrade is not immediately possible.