February 6, 2024 at 10:10AM
Three new security vulnerabilities have been identified in Azure HDInsight’s Apache Hadoop, Kafka, and Spark services, enabling privilege escalation and denial-of-service attacks. Specific flaws include XML External Entity Injection Elevation of Privilege and Java Database Connectivity Injection Elevation of Privilege. Microsoft has released fixes following responsible disclosure. Orca previously found eight flaws and highlighted a potential abuse risk in Google Cloud Dataproc clusters.
Based on the meeting notes, the key takeaways are:
– Three new security vulnerabilities have been discovered in Azure HDInsight’s Apache Hadoop, Kafka, and Spark services that could lead to privilege escalation and a regular expression denial-of-service (ReDoS) condition.
– The vulnerabilities are CVE-2023-36419 (CVSS score: 8.8) – Azure HDInsight Apache Oozie Workflow Scheduler XML External Entity (XXE) Injection Elevation of Privilege Vulnerability, CVE-2023-38156 (CVSS score: 7.2) – Azure HDInsight Apache Ambari Java Database Connectivity (JDBC) Injection Elevation of Privilege Vulnerability, and Azure HDInsight Apache Oozie Regular Expression Denial-of-Service (ReDoS) Vulnerability (no CVE).
– Successful exploitation of the ReDoS vulnerability could lead to disruption of the system’s operations, performance degradation, and impact the availability and reliability of the service.
– Microsoft has rolled out fixes as part of updates released on October 26, 2023, following responsible disclosure.
Feel free to ask if you need further information.