The critical vulnerability in Netflix's Genie OSS allows remote attackers to potentially execute arbitrary code through file uploads, affecting versions prior to 4.3.18
Genie, used for big data orchestration, provides APIs to manage and run jobs across frameworks like Hadoop and Spark, offering access to significant internal resources. Contrast Security researchers discovered the bug, enabling remote code execution during the uploading process, potentially compromising sensitive data and system files. Netflix released a fix in version 4.3.18, advising organizations to upgrade to avoid exploitation. The vulnerability involves a path traversal attack on the filename parameter, allowing attackers to upload files and gain control of the server, emphasizing the importance of mitigating such issues amidst widespread exploitation by threat actors. https://www.darkreading.com/application-security/netflix-fixes-critical-vulnerability-on-big-data-orchestration-service