CVE-2023-50380: XML External Entity Injection Vulnerability in Apache Ambari Versions <= 2.7.7

A severe security vulnerability has been discovered in Apache Ambari versions up to and including 2.7.7, which can lead to root-level file reading and privilege escalation for low-privileged attackers. This vulnerability is due to improper validation of user inputs and is known as an XML External Entity (XXE) injection attack. To mitigate this issue, users are advised to upgrade to Apache Ambari version 2.7.8. This post will provide a detailed explanation of the vulnerability, code snippet from the affected functionality, as well as links to the original references and exploit details.

Code Snippet

The issue occurs in the Oozie Workflow Scheduler component of Apache Ambari and is caused by the lack of proper user input validation. The vulnerable code snippet in the component is shown below:

# vulnerable_code.py

# Parsing the user-supplied XML document
def parse_xml(input_xml):
  parser = ET.XMLParser()
  tree = ET.ElementTree()
  tree.parse(input_xml, parser)
  return tree

In this code snippet, the parse_xml function reads the user-supplied XML document and parses it using the built-in XML parser, which lacks necessary validation checks.

Exploit Details

An attacker can exploit this vulnerability by crafting a malicious XML document that, when parsed by the Oozie Workflow Scheduler, leads to XXE injection. The exploit code is shown below:

# exploit.xml

<?xml version="1." encoding="UTF-8"?>
<!DOCTYPE exploit [
  <!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<Exploit>
  <Data>&xxe;</Data>
</Exploit>

In this exploit code, the attacker creates an XML document with a custom-defined entity xxe, which reads the system file /etc/passwd. When this malicious XML document is parsed by the vulnerable parse_xml function, the entity value containing the system file content is returned, allowing unauthorized access to sensitive data.

Original References

1. CVE-2023-50380 - NVD
2. Apache Ambari Security Advisory
3. Oozie Workflow Scheduler Documentation

Recommendations

Users are recommended to upgrade their Apache Ambari installations to version 2.7.8, which contains the necessary patches for this vulnerability. Additionally, follow best practices for securing Apache Ambari:

Conclusion

An XML External Entity injection vulnerability in Apache Ambari versions up to and including 2.7.7 poses a significant security risk to systems implementing the software. Attackers can exploit the vulnerability to read arbitrary files on the server and potentially escalate their privileges. Users are advised to upgrade to Apache Ambari version 2.7.8 to mitigate the risk and ensure that their installations are secured.

Timeline

Published on: 02/27/2024 17:15:11 UTC
Last modified on: 02/28/2024 14:06:45 UTC