Recent discoveries have unveiled three significant security vulnerabilities within Azure HDInsight’s Apache Hadoop, Kafka, and Spark services. These vulnerabilities pose risks of privilege escalation and a regular expression denial-of-service (ReDoS) condition, affecting authenticated users across various Azure HDInsight services, including Apache Ambari and Apache Oozie.
- CVE-2023-36419 (CVSS score: 8.8): This vulnerability in Azure HDInsight Apache Oozie Workflow Scheduler involves XML External Entity (XXE) Injection, leading to elevation of privilege. It results from insufficient user input validation, enabling attackers to read root-level files and escalate privileges.
- CVE-2023-38156 (CVSS score: 7.2): Found in Azure HDInsight Apache Ambari, this Java Database Connectivity (JDBC) Injection vulnerability also facilitates elevation of privilege. Attackers can exploit this flaw to execute a specially crafted network request, potentially obtaining a reverse shell as root.
- Azure HDInsight Apache Oozie Regular Expression Denial-of-Service (ReDoS) Vulnerability: This flaw, while not assigned a CVE, stems from inadequate input validation, allowing attackers to initiate an intensive loop operation through a large range of action IDs, causing DoS.
Attack Scenario and Exploitation
These vulnerabilities enable an authenticated attacker with access to the target HDI cluster to gain cluster administrator privileges through specially crafted network requests. The XXE and JDBC injection flaws specifically allow for privilege escalation, while the ReDoS vulnerability can severely disrupt system operations, degrade performance, and impact service availability and reliability.
Response and Mitigation
Microsoft has addressed these vulnerabilities by releasing fixes on October 26, 2023, following responsible disclosure protocols. Organizations using Azure HDInsight services are strongly encouraged to apply these updates promptly to mitigate the risks associated with these vulnerabilities.
Threat Landscape and Impact
The discovery of these vulnerabilities highlights the ongoing security challenges within cloud services and the potential for exploitation that can lead to unauthorized data access, system disruption, and compromised system integrity. It follows previous disclosures by Orca Security, which detailed vulnerabilities in the same ecosystem capable of data access, session hijacking, and malicious payload delivery.
Additionally, Orca Security’s recent findings regarding Google Cloud Dataproc clusters underscore the broader issue of security risks in cloud environments, emphasizing the need for stringent security controls and vigilant management of cloud resources.
The identification of new vulnerabilities in Azure HDInsight’s services serves as a critical reminder of the importance of regular security assessments, prompt patch management, and the adoption of comprehensive security measures to protect cloud environments against emerging threats. Organizations must remain proactive in their security practices to safeguard their cloud infrastructure and sensitive data against potential exploitation.
Stay safe and informed,