One of the new escalation bugs affects Apache Ambari, an open source tool that simplifies Apache Hadoop cluster deployment, management, and monitoring.
CVE-2023-38156, assigned a “high” 7.2 out of 10 score on the CVSS scale, concerns the URL endpoint associated with Java Database Connectivity (JDBC), a Java application programming interface (API) responsible for defining how a client may access a database. By manipulating the JDBC endpoint, the researchers discovered they could successfully drop a reverse shell and escalate from regular user privileges to root access in a Hadoop cluster.
The other two vulnerabilities relate to Apache Oozie, a workflow scheduler for Hadoop.
The more serious of the two, CVE-2023-36419 is caused by a lack of proper user input validation, opening the door to XML External Entity (XXE) injection attacks. An attacker exploiting XXE in the workflow scheduler could escalate privileges and read arbitrary files on the server, including sensitive system files. CVE-2023-36419 was assigned a “high” 8.8 CVSS score by Microsoft, but a “critical” 9.8 by the National Institute of Standards and Technology’s (NIST) National Vulnerability Database (NVD).