Three substantial security vulnerabilities have come to light, concerning Microsoft Azure HDInsight’s third-party Apache Hadoop, Kafka, and Spark services. These services, integral components of the Azure HDInsight ecosystem, were reportedly plagued with risks of privilege escalation and denial-of-service (DoS) scenarios, as identified by security firm Orca. Microsoft has since addressed these issues with updates rolled out in October.
Unmasking the Flaws
The two high-severity flaws, identified as CVE-2023-36149 and CVE-2023-38156, pose significant threats to system security. The former is linked with the Apache Oozie Workflow Scheduler and the latter with Apache Ambari Java Database Connectivity injection. Both vulnerabilities, if exploited, could escalate an attacker’s privileges within the system.
A third vulnerability, yet to be assigned a CVE number, lies within Apache Oozie. This flaw could potentially instigate a regular expression denial-of-service (ReDoS) condition, thereby disrupting system operations.
The ReDoS Risk
Security researcher Lidor Ben Shitrit shed light on the origins of the ReDoS vulnerability. As per Shitrit, insufficient input validation and constraint enforcement paved the way for this perilous flaw. In a scenario where an attacker could request a wide array of action IDs, an intensive loop operation could be induced. This would result in a DoS condition, disrupting the regular functioning of the system.
Security Measures in Place
In response to the identification of these vulnerabilities, Microsoft swiftly released fixes. This move underlines the tech giant’s commitment towards maintaining robust security protocols within its cloud environments. The incident also highlights the broader issue of security risks within cloud environments and underscores the necessity of proactive security practices.