CVE-2024-4701 (CVSS 9.9): Major RCE Risk in Netflix’s Genie Platform
A severe remote code execution (RCE) vulnerability has been discovered in Genie, Netflix’s popular open-source job orchestration engine for big data processing. The flaw, tracked as CVE-2024-4701, carries a critical CVSS score of 9.9.
Genie, the open-source distributed job orchestration engine developed by Netflix, is used extensively to manage big data jobs across multiple distributed processing clusters. It supports a variety of big data platforms like Hadoop, Pig, Hive, Spark, Presto, and Sqoop, offering REST-ful APIs for efficient job and metadata management.
Image: Netflix
The flaw impacts users of Genie’s open-source software (OSS) who store file attachments locally on the underlying file system. By manipulating the filename in the multipart/form-data file upload request, an attacker can traverse the directory structure and write files outside of the intended storage path. This exploitation can potentially allow attackers to execute arbitrary code on the system. Users who do not store these attachments locally are not vulnerable to this specific issue.
The issue lies within Genie’s API for handling file uploads. It allows users to directly provide a filename during the upload process. A malicious actor could carefully craft a filename to execute a path traversal attack. This technique enables the attacker to write arbitrary files with chosen content to any location on the server where the Genie process has write permissions.
Successful exploitation of the CVE-2024-4701 flaw could grant an attacker the ability to execute their malicious code on a vulnerable Genie server. This has serious ramifications, potentially leading to complete system compromise.
Security researcher jmoritzc53 has been recognized for responsibly disclosing this critical vulnerability.
The Genie development team has addressed this vulnerability in Genie OSS version 4.3.18. Users are strongly advised to upgrade to this patched version as soon as possible. The fix resides in issue #1217.
