A critical vulnerability has been discovered in the open-source version of Netflix’ Genie job orchestration engine for big data applications, potentially allowing remote attackers to execute arbitrary code on systems running affected versions of the software. The bug, known as CVE-2024-4701, has been given a near-max critical score of 9.9 out of 10 on the CVSS vulnerability-severity scale. This vulnerability targets organizations that are using their own instance of Genie OSS, exploiting the local file system to upload and store user-submitted file attachments.
Genie is a platform that organizations utilize to orchestrate, run, and monitor various big data jobs and workflows across different frameworks and distributed computational clusters. It also provides APIs for managing metadata and configurations of these clusters and the applications running on them, giving users access to computational resources required for big data environments like Hadoop, Spark, Pig, Hive, Sqoop, and Presto. Essentially, Genie offers access to internal data and resources for organizations utilizing the platform.
Contrast Security researchers recently uncovered the vulnerability and reported it to Netflix. In their findings, they described the bug as enabling remote code execution during the file upload process. According to the researchers, a successful attack could trick a web application into exposing sensitive information such as credentials, application code, and operating system files beyond the intended scope.
Netflix has been using Genie internally for over a decade to run thousands of daily Hadoop jobs in their petabyte-scale environment. The company released Genie technology to the open-source community in 2013. The vulnerability exists in Genie OSS versions prior to 4.3.18, and Netflix has released a fix in version 4.3.18 to address the issue. Organizations are advised to upgrade to the latest version to mitigate the risk posed by the vulnerability.
Contrast Security elaborated on the vulnerability, explaining that it involves a Genie API that allows users to submit SQL queries through Spark SQL. During this process, a user can upload a SQL file with the SQL code to be executed. The researchers discovered that the filename parameter in the API is vulnerable to a path traversal attack, allowing an attacker to upload a file to a location outside the expected path. This could potentially enable the attacker to gain control of the server and access or exfiltrate sensitive data within the big data sets managed by Genie.
Path traversal vulnerabilities are a known issue in the cybersecurity realm, with recent examples including exploits in ConnectWise ScreenConnect and Cisco AppDynamics Controller. The FBI’s Internet Crime Complaint Center (IC3) has issued an advisory on the vulnerability class, warning organizations about the risks posed by directory traversal exploits. The advisory emphasizes the importance of treating user-supplied content as potentially malicious and taking necessary precautions to protect against such vulnerabilities.
In conclusion, the discovery of the critical vulnerability in Genie OSS highlights the ongoing challenges organizations face in securing their big data applications against potential cyber threats. The incident serves as a reminder of the importance of robust cybersecurity measures and proactive risk mitigation strategies in today’s digital landscape.