Microsoft Patches Critical XSS Flaws in Azure HDInsight Analytics Service


Key takeaways:

  • Eight critical cross-site scripting (XSS) vulnerabilities were identified in Microsoft’s Azure HDInsight service, posing potential threats to data security and user privacy.
  • Security researchers identified inadequate input sanitization and output encoding as the root causes of these vulnerabilities.
  • Microsoft released patches to address these vulnerabilities in August Patch Tuesday updates. It’s also recommended to implement best security practices, including input validation and the principle of least privileges.

Microsoft has recently patched eight cross-site scripting (XSS) vulnerabilities impacting Azure HDInsight. These vulnerabilities could have allowed unauthorized access, session hijacking, and the deployment of malicious code.

Azure HDInsights is a fully managed service that lets organizations use open-source frameworks for big data analytics, management, and processing. They can use the frameworks to create optimized clusters for Apache Spark, Apache Kafka, Hadoop, HBase, and Interactive Query (LLAP) on Microsoft Azure. The service provides Azure Monitor logging integration to let IT admins monitor HDInsight clusters.

In a recent report, Orca Security published details about eight critical vulnerabilities in various Apache services in Azure HDInsight. These were cross-site scripting (XSS) vulnerabilities that could be exploited to hack Web sessions and steal user data. Cross-site scripting (XSS) is a type of attack that lets hackers execute malicious code within a victim’s browser.

“All 8 XSS vulnerabilities discovered in various platforms and components in Azure HDInsight primarily resulted from the lack of proper input sanitization. This omission allowed malicious characters to be rendered once the dashboard was loaded, demonstrating inadequate output encoding that fails to neutralize these characters when rendered,” Orca explained.

How can IT admins reduce exposure to XSS vulnerabilities?

Last month, Microsoft released August Patch Tuesday updates to address the security flaws in enterprise environments. However, customers would need to update their Azure HDInsight instances to apply the security patches.

It’s highly recommended that organizations should follow best security practices to block XSS attacks in corporate environments. These include performing input validation and output encoding, implementing a Content Security Policy (CSP), as well as applying the principle of least privileges.