A critical vulnerability, CVE-2024-4701, has been identified in Netflix’s open-source Genie job orchestration engine for big data applications, potentially allowing remote attackers to execute arbitrary code. The vulnerability carries a severity score of 9.9 out of 10 and affects organizations running their own instance of Genie OSS, using the local file system to upload and store user-submitted file attachments. The issue has been discovered by Contrast Security researchers and reported to Netflix, which has since released a fixed version, Genie OSS 4.3.18, urging organizations to upgrade to mitigate risks.
The vulnerability stems from a Genie API that allows users to submit SQL queries via Spark SQL and upload SQL files containing the queries. Researchers found that the filename parameter is susceptible to a path traversal attack, allowing attackers to upload files to unintended locations. This flaw can enable remote code execution, potentially exposing sensitive data and system files. Netflix identified the problem as related to the API accepting user-supplied filenames and using them when writing files to disk, making it possible for malicious actors to manipulate filenames for path traversal.
Netflix has been using Genie internally for over a decade to run thousands of daily Hadoop jobs and released the technology to the open-source community in 2013. Genie orchestrates, runs, and monitors big data jobs and workflows, providing APIs for managing metadata and configuration of distributed computational clusters and applications. The vulnerability affects Genie OSS versions prior to 4.3.18, and Netflix has fixed the issue in this latest version. Organizations are advised to upgrade immediately and limit network access to the Genie application if they cannot update right away.
Path traversal vulnerabilities, such as this one, are a common and dangerous issue. The FBI’s Internet Crime Complaint Center (IC3) has recently issued an advisory on the vulnerability class, citing its frequent exploitation by threat actors. Examples include recent vulnerabilities in ConnectWise ScreenConnect and Cisco AppDynamics Controller, which were used to deliver ransomware and target critical infrastructure organizations. The US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI urge organizations to vet their products for potential directory traversal issues and take immediate measures to mitigate these vulnerabilities.
Reference: