Three high-risk vulnerabilities have been discovered in Microsoft Azure’s HDInsight big data analytics service.
Four and a half months after disclosure eight cross-site scripting (XSS) vulnerabilities. in the cloud data tool, Orca Security published new discoveries involving a denial of service (DoS) bug and two privilege escalation bugs plaguing the same service.
This new trio opens the door to performance issues and unauthorized administrative access, and all that comes with it: attackers read, write, delete, and perform any other management operations on an organization’s sensitive data.
Three new bugs in Azure HDInsight
One of the new escalation bugs affects Apache Ambari, an open source tool that makes it easier to deploy, manage, and monitor Apache Hadoop clusters.
CVE-2023-38156, given a “high” score of 7.2 out of 10 on the CVSS scale, concerns the URL endpoint associated with Java Database Connectivity (JDBC), a Java application programming interface (API) responsible for defining how a client can access a database. By manipulating the JDBC endpoint, the researchers found that they could successfully eliminate a reverse shell and switch from normal user privileges to root access in a Hadoop cluster.
The other two vulnerabilities affect Apache Oozie, a workflow scheduler for Hadoop.
The more serious of the two, CVE-2023-36419 is caused by a lack of proper validation of user input, opening the door to XML External Entity (XXE) injection attacks.. An attacker who exploits XXE in the workflow scheduler could escalate privileges and read arbitrary files on the server, including sensitive system files. CVE-2023-36419 was given a “high” CVSS score of 8.8 by Microsoft, but a “critical” score of 9.8 by the National Institute of Standards and Technology’s (NIST) National Vulnerability Database (NVD).
The other moderate severity bug also comes from the lack of proper input validation, when a user requests logs for a specific job by specifying a very wide range of actions, causing an intense loop that the system is unable to manage. This may slow down or completely crash your Oozie dashboard, cause delays, failures, or other errors in scheduling and managing Oozie jobs, and cause performance degradation of other services on the same host.
Why Azure HDInsight vulnerabilities matter
Data processing tools in an organizational context can house enormous amounts of valuable information.
“HDInsight is used to perform analytics on “Big Data,” which is large amounts of structured, unstructured, and fast-moving data,” explains Bar Kaduri, research group leader at Orca Security. “Typically, it is larger organizations that use big data analytics to identify new business opportunities and facilitate strategic decisions.”
Indeed, some of the world’s largest companies, including Unilever, MetLife, Ernst & Young and others, according to business data aggregators — use Azure HDInsight.
“We can safely assume that this big data likely contains valuable and sensitive customer and market information that organizations would like to do their best to protect,” says Kaduri, underscoring the need for organizations to diligently apply patches as new gaps of security emerge. surface.
All three new bugs have been fixed as of October 26th. HDInsight users are recommended to implement them The latest patch from Microsoft if they haven’t already, with one caveat: the service doesn’t support in-place upgrades.
To adequately protect their applications, HDInsight users must create a cluster with the latest version and updates of the platform, then migrate from the old to the new.