Azure HDInsight services impacted by new vulnerabilities

Microsoft Azure HDInsight has been identified to have its third-party Apache Hadoop, Kafka, and Spark services affected by three security flaws, which stem from Apache Ambari and Oozie software and have already been remediated by Microsoft in updates issued in October, The Hacker News reports. Attackers could leverage the high-severity Apache Oozie Workflow Scheduler XML External Entity injection and Apache Ambari Java Database Connectivity injection flaws, tracked as CVE-2023-36149 and CVE-2023-38156, respectively, to facilitate privilege escalation, while the other Apache Oozie flaw, which does not have a CVE designation yet, could be exploited to enable a regular expression denial-of-service condition and cause system disruptions, according to an Orca report. "The ReDoS vulnerability on Apache Oozie was caused by a lack of proper input validation and constraint enforcement, and allowed an attacker to request a large range of action IDs and cause an intensive loop operation, leading to a denial-of-service (DoS)," said researcher Lidor Ben Shitrit.