Summary
Three privilege escalation and denial-of-service vulnerabilities were discovered in Azure HDinsight, related to their usage of Apache Oozie and Ambari.
The root cause of at least one of these vulnerabilities is a flaw in Apache Oozie itself, leading to regex denial-of-service (ReDoS). The other two vulnerabilities
could allow an authenticated attacker with HDI cluster access to gain cluster administrator privileges and perform any resource service management operation.
The vulnerabilities were patched in the October 2023 security update of Azure HDinsight.
Affected Services
HDInsight
Remediation
Update to HDInsight image 2308221128 or 2310140056.
Tracked CVEs
CVE-2023-36419, CVE-2023-38156
References
https://orca.security/resources/blog/azure-hd-insight-vulnerabilities-privilege-escalation/https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36419https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-38156https://github.com/apache/oozie/pull/92
Contributed by https://github.com/mer-b
Disclosure Date
-
Exploitablity Period
-
Known ITW Exploitation
-
Detection Methods
-
Piercing Index Rating
-
Discovered by
Lidor Ben Shitrit, Orca Security
