Brahma Reddy Battula

**Name of the Vulnerable Software and Affected Versions** Apache Ambari versions prior to 2.7.8 **Description** The issue is related to a lack of proper input validation and constraint enforcement, which could be exploited to perform unauthorized actions, including data access, session hijacking, and delivering malicious payloads. This is a stored XSS issue, where malicious code gets executed whenever a legitimate user interacts with the compromised part of Ambari. **Recommendations** For Apache Ambari versions prior to 2.7.8, upgrade to version 2.7.8, which fixes this issue. As a temporary workaround, consider restricting access to potentially vulnerable components of Ambari to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Apache Ambari versions prior to 2.7.8 **Description** The issue allows a Cluster Operator to manipulate the request by adding a malicious code injection, potentially gaining root access over the cluster main host. This presents a severe risk to organizations relying on Ambari for their Hadoop cluster management. The vulnerability enables authenticated users to perform command injection, leading to remote code execution (RCE). **Recommendations** For Apache Ambari versions prior to 2.7.8, upgrade to version 2.7.8 to fix the issue. As a temporary workaround, consider restricting access to the cluster main host and limiting the privileges of Cluster Operators to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Apache Ambari versions <= 2.7.7 Description: The issue is related to an XML External Entity (XXE) injection attack in the Oozie Workflow Scheduler component of Apache Ambari. This vulnerability is caused by a lack of proper user input validation, allowing for root-level file reading and potential privilege escalation from low-privilege users. Attackers can exploit this vulnerability to read arbitrary files on the server, including sensitive system files, and potentially escalate privileges. Recommendations: To resolve the issue, users are recommended to upgrade to version 2.7.8, which fixes this issue. As a temporary workaround, consider restricting access to the Oozie Workflow Scheduler component to minimize the risk of exploitation. Avoid using the vulnerable component until the issue is resolved by upgrading to the fixed version.