Microsoft Azure HDInsight Bugs Expose Big Data to Breaches

Three high-risk vulnerabilities have been uncovered in Microsoft Azure's big-data analytics service HDInsight.

Four and a half months after disclosing eight cross-site scripting (XSS) vulnerabilities in the cloud data tool, Orca Security has published new findings involving one denial-of-service (DoS) and two privilege escalation bugs afflicting the same service.

This new trio opens the door to performance issues and unauthorized administrative access, and all that comes with it: attackers reading, writing, deleting, and performing any other management operations over an organization's sensitive data.

Three New Bugs in Azure HDInsight

One of the new escalation bugs affects Apache Ambari, an open source tool that simplifies Apache Hadoop cluster deployment, management, and monitoring.

CVE-2023-38156, assigned a "high" 7.2 out of 10 score on the CVSS scale, concerns the URL endpoint associated with Java Database Connectivity (JDBC), a Java application programming interface (API) responsible for defining how a client may access a database. By manipulating the JDBC endpoint, the researchers discovered they could successfully drop a reverse shell and escalate from regular user privileges to root access in a Hadoop cluster.

The other two vulnerabilities relate to Apache Oozie, a workflow scheduler for Hadoop.

The more serious of the two, CVE-2023-36419 is caused by a lack of proper user input validation, opening the door to XML External Entity (XXE) injection attacks. An attacker exploiting XXE in the workflow scheduler could escalate privileges and read arbitrary files on the server, including sensitive system files. CVE-2023-36419 was assigned a "high" 8.8 CVSS score by Microsoft, but a "critical" 9.8 by the National Institute of Standards and Technology's (NIST) National Vulnerability Database (NVD).

The other moderate-severity bug also derives from a lack of proper input validation, when a user requests logs for a specific job by specifying a very large range of actions, causing an intensive loop that the system can't handle. Doing so can slow down or outright freeze the Oozie dashboard, cause delays, failures, or other errors in scheduling and managing Oozie jobs, and cause performance degradation to other services on the same host.

Why Azure HDInsight Vulnerabilities Matter

Data processing tools in an organizational setting can house massive troves of valuable information.

"HDInsight is used to perform analysis on 'Big Data,' meaning large amounts of structured, unstructured, and fast-moving data," explains Bar Kaduri, research team leader at Orca Security. "Typically, it’' the larger organizations who are using big data analytics to identify new business opportunities and facilitate strategic decisions."

Indeed, some of the world's largest corporations — including Unilever, MetLife, Ernst & Young, and more, according to business data aggregators — make use of Azure HDInsight.

"We can safely assume that this big data is likely to contain valuable and confidential customer and market information which organizations would want to do their utmost to protect," Kaduri says, emphasizing the need for organizations to patch diligently as new security gaps rise to the surface.

All three of the new bugs were fixed as of Oct. 26. HDInsight users are recommended to implement Microsoft's latest patch if they haven't already, with one caveat: The service does not support in-place upgrades.

To properly protect their applications, HDInsight users must create a cluster with the latest platform version and updates, then migrate the old to the new.