May 22, 2024 at 09:03AM
Netflix has patched a critical vulnerability in its open source Genie job orchestration engine, designated as CVE-2024-4701. Remote attackers could potentially execute arbitrary code, exploiting a file upload process. The bug is present in Genie OSS versions prior to 4.3.18. Organizations are urged to upgrade to the fixed version to mitigate the risk. The vulnerability poses a near maximum severity risk and could lead to remote code execution and path traversal attacks. The FBI’s Internet Crime Complaint Center (IC3) recently issued an advisory on the vulnerability class, highlighting its prevalence in recent threat actor activity.
The meeting notes detail a critical vulnerability in Netflix’s Genie job orchestration engine for big data applications, designated as CVE-2024-4701. This vulnerability allows remote attackers to potentially execute arbitrary code on systems running affected versions of the software. It affects organizations running their own instance of Genie OSS, utilizing the underlying local file system to upload and store user-submitted file attachments.
The severity of the vulnerability is near maximum with a score of 9.9 out of 10 on the CVSS rating scale. It is present in Genie OSS versions prior to 4.3.18, but Netflix has released a fix in Genie OSS version 4.3.18 and is encouraging organizations to upgrade to the new version to mitigate the risk. The vulnerability is relatively easy to exploit and does not require special user privileges or interaction.
The vulnerability involves a Genie API that allows users to submit SQL queries via Spark SQL and is susceptible to a path traversal attack in the filename parameter. This could allow an attacker to upload files to unexpected locations, potentially leading to remote code execution and unauthorized access to the server.
Path traversal vulnerabilities are a common and dangerous issue, as illustrated by recent incidents like CVE-2024-1708 in ConnectWise ScreenConnect and CVE-2024-20345 in Cisco AppDynamics Controller. The US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI are urging organizations to inquire with vendors about potential directory traversal issues and take immediate measures to mitigate the problem.