Summary Summary

Microsoft recently remediated one Denial of Service and two Escalation of Privilege vulnerabilities affecting third party components of Azure HDInsight. Access to the target cluster as an authenticated user was a prerequisite for exploitation in all three cases. A successful privilege escalation could result in the attacker assuming the Cluster Administrator role. This would provide read/write/delete privileges and allow resource management operations in Apache Ambari. The impact of a successful exploitation would have been isolated to the victim cluster in all cases, with no cross-tenant impact.

The Microsoft Security Response Center (MSRC) continually works with security researchers who discover security vulnerabilities in our products and services. These vulnerabilities were originally identified through independent testing conducted by Orca Security and reported to MSRC via our Coordinated Vulnerability Disclosure process. Microsoft released fixes for two vulnerabilities (CVE-2023-38156 and CVE-2023-36419) in October. The denial of service vulnerability fix was included in the latest Azure HDInsight release as a defense-in-depth fix.

Microsoft has not observed exploitation of these vulnerabilities beyond the proofs-of-concept provided by the researcher. Customers are encouraged to deploy the latest HDInsight image 2310140056 which has fixes for these three vulnerabilities.

CVE Details: CVE Details:

 Of the three vulnerabilities discussed above, two have been assigned CVEs:

Background of CVEs on Azure HDInsight Background of CVEs on Azure HDInsight

The diagram below represents the high-level network architecture showing how implementations of HDInsight are isolated. NSG separation between tenant subnets prevents cross-tenant vulnerability risk to HDInsight clusters.

Details about the two Elevation of Privilege (EoP) CVEs and the privileges required to perform malicious operations are summarized below:

Azure HDInsight Apache Ambari JDBC Injection Elevation of Privilege Vulnerability Azure HDInsight Apache Ambari JDBC Injection Elevation of Privilege Vulnerability

CVE-2023-38156

This CVE relates to a command injection vulnerability in the open-source Apache Ambari component. When configuring the database connection URL via the Ambari user interface, an authenticated attacker can append shell commands to the URL. When a connection to the database is made, these commands will execute on the server. The attacker can use this ability to elevate their privileges within the cluster. 

Azure HDInsight Apache Oozie Workflow Scheduler XXE Elevation of Privilege Vulnerability Azure HDInsight Apache Oozie Workflow Scheduler XXE Elevation of Privilege Vulnerability

CVE-2023-36419

This CVE relates to an External Entity Injection vulnerability in the open-source Apache Oozie component. When saving a Workflow Coordinator configuration, settings are sent to the server in XML format. An attacker can inject additional XML entities to this data which reference arbitrary files on the server. The content of these files is returned to the attacker in the web server’s response. This access can be used to elevate privileges within the cluster.

Azure HDInsight Apache Oozie Regex Denial of Service Azure HDInsight Apache Oozie Regex Denial of Service

This vulnerability relates to a denial of service condition in the open-source Apache Oozie component. When configuring a Job, the Oozie documented web api exposes an array of configuration options and settings to the user. A parameter in this API is used as the iteration count for a loop with no upper limit. An attacker can set this parameter to a large integer, causing the server to iterate on this loop for an extended time and resulting in denial of service.

Our security team engages in vulnerability variant hunting to identify security anti-patterns that lead to vulnerabilities across our products and services. These efforts augment our evolving static and dynamic analysis scanning tools to ensure we account for multiple attack vectors and strengthen our SDL controls to catch the problems early in the development cycle. To further strengthen the security of HDInsight, and all Microsoft products, we continuously upgrade our static analysis rules to detect and mitigate bugs early in the product pipeline.

As part of our learnings from the vulnerabilities identified by Orca Security, the HDInsight team will conduct a comprehensive security review of our critical open-source dependencies, including Apache Ambari, Apache Oozie, and others. Our team will coordinate and work with our partners at Apache and elsewhere to address any other security issues discovered.

Conclusion Conclusion

In summary:

• Orca Security reported two Elevation of Privilege and one Denial of Service vulnerability affecting Azure HDInsight in July and August 2023.
• After analyzing the vulnerability report, we contacted the Apache security team on October 4, 2023, and have been in coordination since.
• All three vulnerabilities were mitigated and customers are encouraged to deploy the latest HDInsight image 2310140056 that has the fixes for these three vulnerabilities.
• Microsoft has no evidence of these vulnerabilities being exploited in HDInsight outside of the proof of concepts from the researcher. These vulnerabilities were demonstrated by Orca Security and reproduced by Microsoft security teams before being mitigated.
• Microsoft continually invests in proactive efforts to identify, mitigate, and prevent security vulnerabilities across our services, including making improvements to our analysis tools, performing proactive variant hunting, and strengthening our SDL controls to catch security flaws early in the development cycle.

We appreciate the opportunity to investigate the findings reported by Orca Security and thank them for their continued collaboration. We encourage all researchers to work with vendors under Coordinated Vulnerability Disclosure (CVD) and abide by the rules of engagement for penetration testing to avoid impacting customer data while conducting security research. Researchers who report security issues to the Microsoft Security Response Center (MSRC) are eligible to participate in Microsoft’s Bug Bounty Program. For more information on securing Azure HDInsight, please refer to Azure security baseline for HDInsight | Microsoft Learn.

Learn more about how Microsoft secures our cloud infrastructure and keeps customer data secure here. Get notified when a potential security event impacts your Azure resources by configuring Service Health alerts in the Azure Portal.