Azure HDInsight privilege escalation and DoS vulnerabilities
Published Tue, Feb 6th, 2024
Platforms
Summary
Three privilege escalation and denial-of-service vulnerabilities were discovered in Azure HDinsight, related to their usage of Apache Oozie and Ambari. The root cause of at least one of these vulnerabilities is a flaw in Apache Oozie itself, leading to regex denial-of-service (ReDoS). The other two vulnerabilities could allow an authenticated attacker with HDI cluster access to gain cluster administrator privileges and perform any resource service management operation. The vulnerabilities were patched in the October 2023 security update of Azure HDinsight.
Affected Services
HDInsight
Remediation
Update to HDInsight image 2308221128 or 2310140056.
Tracked CVEs
CVE-2023-36419, CVE-2023-38156
References
Contributed by https://github.com/mer-b
Entry Status
Finalized
Disclosure Date
-
Exploitability Period
-
Known ITW Exploitation
-
Detection Methods
None
Piercing Index Rating
-
Discovered by
Lidor Ben Shitrit, Orca Security
