CVE-2025-8904 is a critical vulnerability identified in Amazon EMR (Elastic MapReduce) versions 6.10 through 7.4, related to the insecure storage of Kerberos credentials by the Amazon EMR Secret Agent component. Specifically, the Secret Agent generates a keytab file containing Kerberos credentials, which is stored in the /tmp/ directory on the system. This directory is typically world-readable or accessible by multiple users on the same host. Because the keytab file contains sensitive authentication material, an attacker with access to the /tmp/ directory and a separate user account on the same system could potentially retrieve and decrypt these credentials. This could enable privilege escalation by impersonating higher-privileged users or services authenticated via Kerberos, thereby compromising confidentiality, integrity, and availability of the EMR cluster and associated data processing workloads. The vulnerability is categorized under CWE-257, which refers to storing passwords or credentials in a recoverable format, highlighting the risk of credential exposure. The CVSS 4.0 base score is 9.0 (critical), reflecting the network attack vector, high complexity, partial privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. Amazon has advised upgrading to EMR version 7.5 or higher, where this issue is resolved. For versions between 6.10 and 7.4, a bootstrap script and RPM patch are recommended to mitigate the vulnerability. No known exploits are currently reported in the wild, but the potential for privilege escalation and lateral movement within cloud environments makes this a significant threat to organizations using affected EMR versions.

For European organizations leveraging Amazon EMR for big data processing and analytics, this vulnerability poses a serious risk. Unauthorized access to Kerberos credentials could allow attackers to escalate privileges within the EMR cluster, potentially leading to unauthorized data access, manipulation, or disruption of critical data workflows. Given the sensitive nature of data processed in EMR clusters—often including personal data subject to GDPR—such a breach could result in regulatory non-compliance, financial penalties, and reputational damage. Additionally, the ability to impersonate privileged users could facilitate further lateral movement within the cloud environment, increasing the attack surface and risk of broader compromise. The impact extends beyond data confidentiality to integrity and availability, as attackers could disrupt or alter data processing jobs, affecting business operations and decision-making. The vulnerability's exploitation does not require user interaction but does require some level of access to the system, which could be obtained through other means such as compromised user credentials or insider threats. Therefore, European organizations must prioritize remediation to maintain compliance and secure their cloud infrastructure.

1. Immediate upgrade to Amazon EMR version 7.5 or later, where the vulnerability is fully addressed. 2. For environments unable to upgrade immediately, deploy the provided bootstrap script and RPM patch from Amazon to remediate the vulnerability in versions 6.10 through 7.4. 3. Restrict access permissions to the /tmp/ directory on EMR nodes to prevent unauthorized users from reading sensitive files. Implement strict file system ACLs or mount options to limit exposure. 4. Monitor and audit access to EMR nodes, especially the /tmp/ directory, to detect suspicious activities or unauthorized access attempts. 5. Employ network segmentation and strong identity and access management (IAM) policies to limit lateral movement and reduce the risk of privilege escalation. 6. Rotate Kerberos credentials and related secrets after applying patches to invalidate any potentially compromised keys. 7. Incorporate EMR security best practices, including the use of encryption at rest and in transit, and regular vulnerability scanning of cloud resources. 8. Educate administrators and users on the risks of credential exposure and enforce least privilege principles to minimize attack vectors.