Six of the XSS flaws found by Orca in Azure HDInsight were stored and the other two were reflected. They were tracked as CVE-2023-36881 (four flaws), CVE-2023-35394, CVE-2023-38188, CVE-2023-35393, and CVE-2023-36877 and were flagged by Microsoft as Important. The four CVE-2023-36881 flaws are all located in different components of Apache Ambari, a web-based dashboard for managing Apache Hadoop clusters.
“Our initial encounter with XSS in Azure HDInsight was straightforward,” the researchers said. “We discovered that the Apache Ambari Background operations had multiple parameters that, by default, could be modified. After identifying this primary stored XSS vulnerability, we expanded our investigation. Using various techniques, we subsequently pinpointed seven more similar vulnerabilities.”
The investigation was not difficult. The researchers used the fuzz testing Intruder tool from Burp Suite, a penetration testing tool for web applications that can deliver XSS payloads. The web dashboard had some XSS filtering for user input, but this was insufficient. “By careful inspection of HTTP responses and analyzing the Document Object Model (DOM), we were able to identify where the application was improperly escaping or sanitizing the user-supplied input,” the researchers said.
After the first flaw was identified in Ambari Background operations, additional stored XSS issues were found in the Managed Notifications, the YARN Queue Manager and YARN Configurations components. These four flaws were packaged under the CVE-2023-36881 identifier. Another stored XSS issue was found in Azure HDInsight’s Jupyter Notebook service, particularly in its Caja compiler. This vulnerability can lead to remote code execution because of the WebSocket communications capability of the service. The attacker can load up a rogue JavaScript file on a remote server that establishes a WebSocket communication channel and sends a reverse shell as a code payload to the service.
The sixth stored XSS issue was found in Azure HDInsight’s Apache Oozie Web Console and can be exploited through custom filters. Apache Oozie is a workflow scheduling system for Hadoop jobs. The two reflected XSS issues were identified in Hadoop itself and Apache Hive and can be exploited via endpoint manipulation.
How to mitigate XSS vulnerabilities
Even though Microsoft fixed the Azure HDInsight vulnerabilities in its service, they serve as a reminder for organizations to implement XSS defenses in their own web applications. Orca’s recommendations include: