Although patches have been released, eight significant Cross-Site Scripting (XSS) vulnerabilities within various Apache services integrated into Azure HDInsight have been discovered by the Orca Research Pod. This managed service, known for its open-source analytics capabilities, was at risk of compromising user data integrity, session hijacking, and malicious payload delivery.
Azure HDInsight is a cloud-based big data analytics service provided by Microsoft Azure, which enables organizations to process and analyze large volumes of data using popular open-source frameworks such as Hadoop, Spark, and Hive. It offers a managed platform for deploying and scaling these big data technologies, making it easier to gain insights from diverse data sources.
The vulnerabilities identified encompassed six Stored XSS (stored on web server for all users) and two Reflected XSS vulnerabilities, each representing a potential gateway for unauthorized activities. These vulnerabilities were associated with five CVEs.
- CVE-2023-36881 – Azure Apache Ambari Spoofing
- CVE-2023-35394 – Azure HDInsight Jupyter Notebook Spoofing
- CVE-2023-38188 – Azure Apache Hadoop Spoofing
- CVE-2023-35393 – Azure Apache Hive Spoofing
- CVE-2023-36877 – Azure Apache Oozie Spoofing
After notification from Orca Research, Microsoft Service Response Center (MSRC) reproduced the issues and the XSS vulnerabilities were patched via the HDInsight Security Update on August 8.
Stored XSS and Reflected XSS are two common types of XSS attacks which are malicious attack vectors where attackers inject harmful scripts into trusted websites, which then execute within users’ browsers. Stored XSS is persistent, executed for all users accessing a page, while Reflected XSS is transient, targeting only those who click on manipulated links. These vulnerabilities stemmed from deficient input sanitization, enabling attackers to compromise user data.
To enhance cybersecurity defenses against XSS vulnerabilities, follow proactive strategies, such as:
- Prioritize input validation to enforce user inputs’ compliance with expected formats, data types, and defined ranges.
- Consistently apply output encoding—comprising HTML, JavaScript, and URL encoding—to user-generated data before rendering it on web pages.
- Implement a Content Security Policy (CSP) to restrict script execution and minimize XSS vulnerabilities’ impact.
- Utilize modern web frameworks and libraries with built-in security features and adhere to the principle of least privilege to reduce attack surface.
In conclusion, the discovery and swift resolution of the eight XSS vulnerabilities in Azure HDInsight serves as a reminder of the ever-present threat of cyberattacks.
Organizations must remain vigilant, adaptable, and proactive in their approach to cybersecurity to stay one step ahead of malicious actors and protect both their data and reputation in an increasingly interconnected digital landscape.