Microsoft recently remediated one Denial of Service and two Escalation of Privilege vulnerabilities affecting third party components of Azure HDInsight.
The Microsoft Security Response Center continually works with security researchers who discover security vulnerabilities in our products and services.
These vulnerabilities were originally identified through independent testing conducted by Orca Security and reported to MSRC via our Coordinated Vulnerability Disclosure process.
Microsoft released fixes for two vulnerabilities in October.
The denial of service vulnerability fix was included in the latest Azure HDInsight release as a defense-in-depth fix.
Microsoft has not observed exploitation of these vulnerabilities beyond the proofs-of-concept provided by the researcher.
Customers are encouraged to deploy the latest HDInsight image 2310140056 which has fixes for these three vulnerabilities.
NSG separation between tenant subnets prevents cross-tenant vulnerability risk to HDInsight clusters.
Our security team engages in vulnerability variant hunting to identify security anti-patterns that lead to vulnerabilities across our products and services.
To further strengthen the security of HDInsight, and all Microsoft products, we continuously upgrade our static analysis rules to detect and mitigate bugs early in the product pipeline.
As part of our learnings from the vulnerabilities identified by Orca Security, the HDInsight team will conduct a comprehensive security review of our critical open-source dependencies, including Apache Ambari, Apache Oozie, and others.
Orca Security reported two Elevation of Privilege and one Denial of Service vulnerability affecting Azure HDInsight in July and August 2023.
After analyzing the vulnerability report, we contacted the Apache security team on October 4, 2023, and have been in coordination since.
All three vulnerabilities were mitigated and customers are encouraged to deploy the latest HDInsight image 2310140056 that has the fixes for these three vulnerabilities.
Microsoft has no evidence of these vulnerabilities being exploited in HDInsight outside of the proof of concepts from the researcher.
These vulnerabilities were demonstrated by Orca Security and reproduced by Microsoft security teams before being mitigated.
Microsoft continually invests in proactive efforts to identify, mitigate, and prevent security vulnerabilities across our services, including making improvements to our analysis tools, performing proactive variant hunting, and strengthening our SDL controls to catch security flaws early in the development cycle.
We encourage all researchers to work with vendors under Coordinated Vulnerability Disclosure and abide by the rules of engagement for penetration testing to avoid impacting customer data while conducting security research.
Researchers who report security issues to the Microsoft Security Response Center are eligible to participate in Microsoft's Bug Bounty Program.
Get notified when a potential security event impacts your Azure resources by configuring Service Health alerts in the Azure Portal.
This Cyber News was published on msrc.microsoft.com. Publication date: Thu, 07 Dec 2023 14:43:05 +0000