Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                              CERT-Renater

                  Note d'Information No. 2025/VULN031

_____________________________________________________________________

DATE                : 22/01/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Ambari versions prior to
                                           2.7.9.

=====================================================================
https://lists.apache.org/thread/xq50nlff7o7z1kq3y637clzzl6mjhl8j
https://lists.apache.org/thread/70g1l5lxvko7kvhyxmtmklhhfrlon837
https://lists.apache.org/thread/hsb6mvxd7g37dq1ygtd0pd88gs9tfcwq
_____________________________________________________________________

CVE-2024-51941: Apache Ambari: Remote Code Injection in Ambari
Metrics and AMS Alerts

Severity: important

Affected versions:

- Apache Ambari through 2.7.8


Description:

A remote code injection vulnerability exists in the Ambari Metrics
and AMS Alerts feature, allowing authenticated users to inject and
execute arbitrary code. The vulnerability occurs when processing
alert definitions, where malicious input can be injected into the
alert script  execution path. An attacker with authenticated access
can exploit this vulnerability to execute arbitrary commands on the
server. The issue has  been fixed in the latest versions of Ambari.

This issue is being tracked as AMBARI-26202 


Credit:

4ra1n (https://github.com/4ra1n) (finder)
h4cking2thegate@gmail.com (reporter)


References:

https://ambari.apache.org/
https://www.cve.org/CVERecord?id=CVE-2024-51941
https://issues.apache.org/jira/browse/AMBARI-26202

_____________________________________________________________________

CVE-2025-23196: Apache Ambari: Code Injection Vulnerability in Ambari
Alert Definition

Severity: important

Affected versions:

- Apache Ambari 8 before 2.7.9


Description:

A code injection vulnerability exists in the Ambari Alert Definition 
feature, allowing authenticated users to inject and execute arbitrary 
shell commands. The vulnerability arises when defining alert scripts, 
where the script filename field is executed using `sh -c`. An attacker 
with authenticated access can exploit this vulnerability to inject 
malicious commands, leading to remote code execution on the server.
The issue has been fixed in the latest versions of Ambari.


Credit:

Liyw979 (reporter)
robinzeng2015 (reporter)
fcgboy (reporter)
wk2025 (reporter)


References:

https://ambari.apache.org/
https://www.cve.org/CVERecord?id=CVE-2025-23196

_____________________________________________________________________

CVE-2025-23195: Apache Ambari: XML External Entity (XXE)
Vulnerability in Ambari/Oozie

Severity: moderate

Affected versions:

- Apache Ambari before 2.7.9


Description:

An XML External Entity (XXE) vulnerability exists in the Ambari/Oozie 
project, allowing an attacker to inject malicious XML entities. This 
vulnerability occurs due to insecure parsing of XML input using the 
`DocumentBuilderFactory` class without disabling external entity 
resolution. An attacker can exploit this vulnerability to read
arbitrary  files on the server or perform server-side request forgery
(SSRF) attacks. The issue has been fixed in both Ambari 2.7.9 and the
trunk branch.


References:

https://ambari.apache.org/
https://www.cve.org/CVERecord?id=CVE-2025-23195
	
=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================