A critical vulnerability has been discovered in Apache Ambari, an open-source management platform for provisioning, managing, and monitoring Apache Hadoop clusters, in versions prior to 2.7.8. The vulnerability, dubbed as CVE-2023-50379, allows a Cluster Operator to manipulate the request by injecting malicious code, thereby gaining root access over the cluster main host. This long-read post will delve deeper into the details of this vulnerability, exploring code snippets, links to original references, and exploit details.

An example of the malicious code injection in Apache Ambari would look like this

POST /api/v1/clusters/my_cluster/hosts HTTP/1.1
Host: ambari-server.example.com
Content-Type: application/x-www-form-urlencoded
User-Agent: attacker

request_data={"host_name":"hadoop-node.example.com", "public_host_name":"hadoop-node.example.com", "os_type": "$(M malicious_code_here;)"}

In the example above, the 'os_type' parameter, which is supposed to be a string value representing the operating system in use, is modified to include a command (malicious_code_here) enclosed in $() - a basic example of command injection. By sending this request to the Ambari server, an attacker will be able to execute arbitrary commands on the host with the privileges of the Ambari process.

Exploit Details

The vulnerability is present due to improper validation of user-supplied input in the 'os_type' parameter of the HTTP POST request. When creating or updating a cluster, an attacker can include additional shell commands as part of this parameter, which then get executed with the privileges of the Ambari server process. Consequently, this allows a remote authenticated attacker to gain unauthorized control over the main host of the target cluster.

Since Apache Ambari is often used to manage sensitive and critical clusters, this vulnerability could serve as a significant risk to organizations and their infrastructure. An attacker could leverage this vulnerability to access sensitive information, disrupt operations, or gain control over the cluster and its resources.

1. Official CVE details - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50379
2. Apache Ambari - https://ambari.apache.org/
3. Apache Ambari security advisories - https://ambari.apache.org/security/

Recommendations

Users of Apache Ambari are strongly urged to upgrade their installations to version 2.7.8 or later to address this vulnerability. The latest release contains a fix for the issue, therefore preventing the exploitation of this security flaw in the Ambari platform.

Conclusion

CVE-2023-50379 highlights the need for organizations to keep their software up to date and to adopt a proactive security mindset to safeguard their infrastructure against potential attacks. By upgrading Apache Ambari to version 2.7.8 or later, users can safeguard their valuable data managed by Ambari and prevent unauthorized access to their clusters.

Timeline

Published on: 02/27/2024 09:15:36 UTC
Last modified on: 02/27/2024 14:20:06 UTC