Azure HDInsight, a cloud-based service by Microsoft, has recently been found to have multiple Cross-Site Scripting (XSS) vulnerabilities. These vulnerabilities include Stored XSS and Reflected XSS, with severity levels ranging from 4.5 (Medium) to 4.6 (Medium).
The vulnerabilities have impacted various products within Azure HDInsight, such as Azure Apache Oozie, Apache Ambari, Jupyter Notebooks, Apache Hadoop, and Apache Hive 2. However, the good news is that Microsoft has already addressed and fixed these vulnerabilities in their 8th August Security update.
According to reports shared by Cyber Security News, a total of six Stored XSS vulnerabilities and two Reflected XSS vulnerabilities were identified. Four of the Stored XSS vulnerabilities were found in Apache Ambari. These vulnerabilities were specifically related to YARN Configurations, YARN Queue Manager, Background Operations, and Managed Notifications. All six of these vulnerabilities fall under the Common Vulnerabilities and Exposures (CVE) identifier CVE-2023-36881.
The remaining two Stored XSS vulnerabilities were discovered in Jupyter Notebooks and Apache Woozie, categorized under CVE-2023-35394 and CVE-2023-36877 respectively. CVE-2023-35394 pertains to Code Execution in Jupyter Notebooks with a severity level of 4.6 (Medium), while CVE-2023-36877 is associated with Web Console Stored XSS and has a severity level of 4.5 (Medium).
Additionally, there were two Reflected XSS vulnerabilities found in Apache Hadoop and Apache Hive 2. These vulnerabilities are identified as CVE-2023-38188 and CVE-2023-35393. Both vulnerabilities have a severity level of 4.5 (Medium) and can be triggered through endpoint manipulation.
To gain more in-depth information about the exploitation, proof-of-concept, and other details related to these vulnerabilities, Orca Security has published a comprehensive report. It is highly recommended that users of the affected products upgrade to the latest versions to prevent potential exploitation of these vulnerabilities.
In conclusion, Azure HDInsight has taken prompt action to address multiple XSS vulnerabilities, ensuring the security and integrity of their cloud-based service. By promptly releasing a security update, Microsoft has demonstrated their commitment to protecting their customers’ data and privacy. Users are urged to stay updated with the latest cybersecurity news and follow recommended security practices to mitigate risks associated with potential vulnerabilities.