Microsoft recently remediated one Denial of Service and two Escalation of Privilege vulnerabilities affecting third party components of Azure HDInsight. Access to the target cluster as an authenticated user was a prerequisite for exploitation in all three cases. A successful privilege escalation could result in the attacker assuming the Cluster Administrator role. This would provide read/write/delete privileges and allow resource management operations in Apache Ambari. The impact of a successful exploitation would have been isolated to the victim cluster in all cases, with no cross-tenant impact.
The Microsoft Security Response Center (MSRC) continually works with security researchers who discover security vulnerabilities in our products and services. These vulnerabilities were originally identified through independent testing conducted by Orca Security and reported to MSRC via our Coordinated Vulnerability Disclosure process. Microsoft released fixes for two vulnerabilities (CVE-2023-38156 and CVE-2023-36419) in October. The denial of service vulnerability fix was included in the latest Azure HDInsight release as a defense-in-depth fix.
Microsoft has not observed exploitation of these vulnerabilities beyond the proofs-of-concept provided by the researcher. Customers are encouraged to deploy the latest HDInsight image 2310140056 which has fixes for these three vulnerabilities.
Of the three vulnerabilities discussed above, two have been assigned CVEs:
Title |
Vulnerability Type |
Impact/Severity |
CVE # |
Azure HDInsight Apache Ambari JDBC Injection Elevation of Privilege Vulnerability |
Command Injection |
Elevation of Privilege, Important severity | |
Azure HDInsight Apache Oozie Workflow Scheduler XXE Elevation of Privilege Vulnerability |
XML External Entity Injection (XXE) |
Local file read Elevation of Privilege, Important severity | |
Azure HDInsight Apache Oozie Regex Denial of Service |
Denial of Service |
Denial of service, Moderate severity |
N/A |
The diagram below represents the high-level network architecture showing how implementations of HDInsight are isolated. NSG separation between tenant subnets prevents cross-tenant vulnerability risk to HDInsight clusters.
Details about the two Elevation of Privilege (EoP) CVEs and the privileges required to perform malicious operations are summarized below:
This CVE relates to a command injection vulnerability in the open-source Apache Ambari component. When configuring the database connection URL via the Ambari user interface, an authenticated attacker can append shell commands to the URL. When a connection to the database is made, these commands will execute on the server. The attacker can use this ability to elevate their privileges within the cluster.
This CVE relates to an External Entity Injection vulnerability in the open-source Apache Oozie component. When saving a Workflow Coordinator configuration, settings are sent to the server in XML format. An attacker can inject additional XML entities to this data which reference arbitrary files on the server. The content of these files is returned to the attacker in the web server’s response. This access can be used to elevate privileges within the cluster.
This vulnerability relates to a denial of service condition in the open-source Apache Oozie component. When configuring a Job, the Oozie documented web api exposes an array of configuration options and settings to the user. A parameter in this API is used as the iteration count for a loop with no upper limit. An attacker can set this parameter to a large integer, causing the server to iterate on this loop for an extended time and resulting in denial of service.
Our security team engages in vulnerability variant hunting to identify security anti-patterns that lead to vulnerabilities across our products and services. These efforts augment our evolving static and dynamic analysis scanning tools to ensure we account for multiple attack vectors and strengthen our SDL controls to catch the problems early in the development cycle. To further strengthen the security of HDInsight, and all Microsoft products, we continuously upgrade our static analysis rules to detect and mitigate bugs early in the product pipeline.
As part of our learnings from the vulnerabilities identified by Orca Security, the HDInsight team will conduct a comprehensive security review of our critical open-source dependencies, including Apache Ambari, Apache Oozie, and others. Our team will coordinate and work with our partners at Apache and elsewhere to address any other security issues discovered.
In summary:
We appreciate the opportunity to investigate the findings reported by Orca Security and thank them for their continued collaboration. We encourage all researchers to work with vendors under Coordinated Vulnerability Disclosure (CVD) and abide by the rules of engagement for penetration testing to avoid impacting customer data while conducting security research. Researchers who report security issues to the Microsoft Security Response Center (MSRC) are eligible to participate in Microsoft’s Bug Bounty Program. For more information on securing Azure HDInsight, please refer to Azure security baseline for HDInsight | Microsoft Learn.
Learn more about how Microsoft secures our cloud infrastructure and keeps customer data secure here. Get notified when a potential security event impacts your Azure resources by configuring Service Health alerts in the Azure Portal.