Three high-risk vulnerabilities have been found in Microsoft Azure’s big-data analytics service HDInsight.
The discovery comes four and a half months after the disclosure of eight cross-site scripting vulnerabilities in the cloud data tool. Orca Security has now published new findings involving one denial-of-service (DoS) and two privilege escalation bugs afflicting the same service.
This trio of vulnerabilities opens the door to performance issues and unauthorized administrative access. Attackers can potentially read, write, delete, and perform any other management operations over an organization’s sensitive data.
One of the new escalation bugs affects Apache Ambari, which is an open source tool that simplifies Apache Hadoop cluster deployment, management, and monitoring. The vulnerability, assigned a “high” 7.2 out of 10 score on the CVSS scale, concerns the URL endpoint associated with Java Database Connectivity (JDBC), a Java application programming interface (API) responsible for defining how a client may access a database. By manipulating the JDBC endpoint, the researchers discovered they could successfully drop a reverse shell and escalate from regular user privileges to root access in a Hadoop cluster.
The other two vulnerabilities relate to Apache Oozie, which is a workflow scheduler for Hadoop. One of these vulnerabilities, identified as CVE-2023-36419, is caused by a lack of proper user input validation, opening the door to XML External Entity (XXE) injection attacks. An attacker exploiting this vulnerability could escalate privileges and read arbitrary files on the server, including sensitive system files. This vulnerability was assigned a “high” 8.8 CVSS score by Microsoft and a “critical” 9.8 by the National Institute of Standards and Technology’s (NIST) National Vulnerability Database (NVD).
The other moderate-severity bug also derives from a lack of proper input validation, causing an intensive loop that the system can’t handle. Doing so can slow down or outright freeze the Oozie dashboard, cause delays, failures, or other errors in scheduling and managing Oozie jobs, and cause performance degradation to other services on the same host.
Data processing tools in an organizational setting can house massive troves of valuable information. HDInsight is used to perform analysis on ‘Big Data,’ meaning large amounts of structured, unstructured, and fast-moving data. Organizations including Unilever, MetLife, Ernst & Young, and others make use of Azure HDInsight.
Bar Kaduri, research team leader at Orca Security, emphasized the need for organizations to patch diligently as new security gaps rise to the surface. All three of the new bugs were fixed as of Oct. 26. HDInsight users are recommended to implement Microsoft’s latest patch if they haven’t already, with one caveat: The service does not support in-place upgrades. To properly protect their applications, HDInsight users must create a cluster with the latest platform version and updates, then migrate the old to the new.