Microsoft Azure fixes HDInsight vulnerabilities

published: Feb. 6, 2024

Take action: This may be a difficult patch. Locking down access to trusted networks and risk assessment should be the first items on your task list for this. If HDInsight is exposed, plan the effort of upgrading fast. Otherwise, put it in the planned pipeline for this year.

Learn More

Orca Security has recently disclosed three high-risk vulnerabilities within Microsoft Azure's HDInsight service, a big-data analytics platform. HDInsight is critical for large organizations, including major corporations like Unilever, MetLife, and Ernst & Young, which rely on it for big data analytics to drive strategic decisions and uncover new business opportunities. The data processed by HDInsight often contains confidential and valuable customer and market information, underscoring the importance of promptly addressing these security vulnerabilities.

The latest findings include one denial-of-service (DoS) vulnerability and two privilege escalation vulnerabilities, posing significant threats to the integrity and accessibility of big data managed by organizations using HDInsight:

  • The first privilege escalation vulnerability, identified as CVE-2023-38156 (CVSS score 7.2), impacts Apache Ambari, an open-source management tool for Apache Hadoop clusters. It allows attackers to manipulate the Java Database Connectivity (JDBC) endpoint to gain root access in a Hadoop cluster by deploying a reverse shell, thereby escalating from regular user to administrative privileges.
  • The second vulnerability, CVE-2023-36419, (CVSS score 8.8 by Microsoft),  (CVSS score 9.8 by NIST), affects Apache Oozie, a workflow scheduler for Hadoop. This issue arises from inadequate user input validation, enabling XML External Entity (XXE) injection attacks. Such attacks could permit an attacker to read arbitrary files on the server, including sensitive system files, thereby escalating their privileges.
  • The third vulnerability, also related to Apache Oozie, is of moderate severity and hasn't been assigned a tracking code. It stems from a lack of proper input validation. This flaw can be exploited by requesting logs for a job over an excessively large range of actions, leading to an intensive loop that the system cannot handle. Consequently, this can severely degrade the performance of the Oozie dashboard and other services on the same host, affecting job scheduling and management.

As of October 26th 2023, Microsoft has patched all three vulnerabilities. However, due to HDInsight's lack of support for in-place upgrades, users are advised to create a new cluster with the latest platform version and updates, then migrate from the old to the new to ensure comprehensive protection.

Microsoft Azure fixes HDInsight vulnerabilities