Orca Safety has printed particulars on eight cross-site scripting (XSS) vulnerabilities impacting Azure HDInsight, which may very well be exploited to entry knowledge, hijack periods, or ship malicious payloads.
The issues had been recognized by the cloud security agency in a number of Apache companies, reminiscent of Hadoop, Spark, Kafka, and Oozie, all working underneath the Azure HDInsight umbrella.
An open supply analytics service, Azure HDInsight permits organizations to make use of open supply frameworks of their Azure setting for giant knowledge evaluation, administration, and processing.
The eight vulnerabilities, tracked underneath 5 totally different CVE identifiers – CVE-2023-36881, CVE-2023-35394, CVE-2023-38188, CVE-2023-35393, CVE-2023-36877 – had been recognized by way of the manipulation of variables and performance exploitation.
“All 8 XSS vulnerabilities found in varied platforms and parts in Azure HDInsight primarily resulted from the shortage of correct enter sanitization. This omission allowed malicious characters to be rendered as soon as the dashboard was loaded, demonstrating insufficient output encoding that fails to neutralize these characters when rendered,” Orca explains.
The primary situation, tracked as CVE-2023-36881, was initially found within the Apache Ambari Background operations, which had a number of default parameters that may very well be modified to carry out an XSS assault.
The identical CVE identifier is used to trace the difficulty within the Ambari Managed Notifications part and the Ambari YARN Queue Supervisor. The flaw may be exploited by manipulating alert notifications, by tampering with the Entry Management capabilities, and by injecting JS code into particular YARN configurations.
CVE-2023-35394, Orca explains, is an XSS vulnerability in Azure HDInsight’s Jupyter Pocket book service that may very well be exploited to attain distant code execution by bypassing the Caja compiler’s sanitization course of.
The Apache Hadoop ResourceManager UI inside Azure HDInsight was discovered susceptible to manipulation of the container endpoint and port (CVE-2023-38188).
Apache Hive 2 was additionally discovered susceptible to container endpoint manipulation (CVE-2023-35393), whereas the Apache Oozie Internet Console allowed for XSS assaults to be carried out by way of filter manipulation (CVE-2023-36877).
Orca has reported all vulnerabilities to Microsoft, which addressed them with the August 2023 Patch Tuesday security updates for Azure HDInsight.