Critical Netflix Genie Bug Opens Big Data Orchestration to RCE

A critical vulnerability in the open source version of Netflix' Genie job orchestration engine for big data applications gives remote attackers a way to potentially execute arbitrary code on systems running affected versions of the software.

The bug, designated as CVE-2024-4701, carries a near-max critical score of 9.9 out of 10 on the CVSS vulnerability-severity scale. It attacks organizations running their own instance of Genie OSS, using the underlying local file system to upload and store user-submitted file attachments.

Organizations can use Genie to orchestrate, run, and monitor a variety of big data jobs and workflows across these different frameworks and across distributed computational clusters. The APIs also facilitate managing the metadata and configuration of those distributed clusters and the applications running on them.

It also provides organizations with application programming interfaces (APIs) for users to access the computational resources required for big data environments such as Hadoop, Spark, Pig, Hive, Sqoop, and Presto.

In short, it offers access to plenty of internal data and resources.

Researchers from Contrast Security recently discovered and reported the bug to Netflix, and in a report filed this week, the security vendor described the vulnerability as enabling remote code execution (RCE) during the file upload process.

"If successful, such an attack could fool a Web application into reading and consequently exposing the contents of files outside of the document root directory of the application or the Web server," Contrast researchers wrote. "[This includes] credentials for back-end systems, application code and data, and sensitive operating system files."

Netflix has been using Genie internally for more than a decade to run thousands of daily Hadoop jobs in its petabytes-scale environment. The company released the technology to the open source community in 2013.

Near Maximum Severity for CVE-2024-4701

The vulnerability is present in Genie OSS versions prior to 4.3.18. Netflix has fixed the issue in Genie OSS version 4.3.18 and wants organizations to upgrade to the new version to mitigate risk. The company assessed the vulnerability as relatively easy to exploit and requiring no special user privileges or interaction.

"Genie users who do not store attachments locally on the underlying file system are not vulnerable to this issue," Netflix said in a post on GitHub.

Contrast Security explained the vulnerability as involving a Genie API that — among other things — allows users to submit SQL queries via Spark SQL. "As part of this process, you can upload a SQL file containing the SQL to be run," according to Contrast researchers. What they discovered was that the filename parameter is susceptible to a path traversal attack. So, an attacker basically could construct a filename in such a manner as to allow them to upload the file to a location that is out of the expected upload location.

"[A successful attack would] allow an attacker to take control of the underlying server, and potentially gain access/exfiltrate the big data sets that Genie is operating on," says Joseph Beeton, staff application security researcher at Contrast. He advises that organizations that cannot immediately update to the fixed version of the software limit network access to the Genie application and ensure it is not accessible from the Internet.

Netflix identified the problem as having to do with the API accepting a user-supplied filename and using that filename when writing the file to disk. "Since this filename is user-controlled, it is possible for a malicious actor to manipulate the filename in order to break out of the default attachment storage path and perform path traversal," according to a Netflix GitHub post. An attacker could exploit this to upload a file with any user-specified name and file contents to any location on the system, thereby enabling remote code execution, Netflix said.

Path traversal — or directory traversal — vulnerabilities are a fairly common and dangerous issue. The FBI's Internet Crime Compliant Center (IC3) recently issued an advisory on the vulnerability class, citing prolific threat actor activity.

The examples included a recent vulnerability in ConnectWise ScreenConnect (CVE-2024-1708) that numerous initial access brokers and threat groups exploited to deliver ransomware, and CVE-2024-20345, a path traversal flaw in Cisco AppDynamics Controller that attackers exploited against healthcare and other critical infrastructure organizations. The US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI are urging organizations to ask vendors if they have vetted their products for potential directory traversal issues and to take immediate measure to mitigate the issue if such defects are present in their environment.

"Directory traversal exploits succeed because technology manufacturers fail to treat user supplied content as potentially malicious, hence failing to adequately protect their customers," the IC3 advisory noted.