Jupyter Notebooks unwittingly open huge server security hole
Andrew Hay
COO, CISO, problem solver, team builder, data whisperer, international public speaker, investor, competitive powerlifter, rugby coach, and proud Canadian.
Many individuals rely on Jupyter Notebooks to learn new programming languages, build proof-of-concept tools and interactively analyze data. But what happens when security rigor is sacrificed in favor of standing up a notebook server as quickly as possible? Unfortunately, as you will learn, easily preventable security configurations are overlooked and serious security vulnerabilities are made available for attackers to exploit.
In December 2016, research by DataGravity discovered more than 350 internet-facing Jupyter Notebook servers providing unauthenticated access to Jupyter’s web user interface and its associated command line shell interface. Default installations of Jupyter Notebook servers, prior to version 4.3, do not offer any default security mechanisms to prevent full unauthenticated access to the notebook web interface. From the web interface, an attacker can exploit three trivial vectors to gain full interaction with the target system with the permissions of the user that started the notebook server.
These vectors were reported on December 13, 2016, via the Common Vulnerabilities and Exposures (CVE?) system and were granted CVE-2016-9970 as the associated identifier. The vulnerable systems span popular cloud hosting providers, traditional brick-and-mortar hosting facilities, telecommunications companies, and educational institutions hosted in countries around the world – including China, Japan, Iran and the U.S.
Today, DataGravity has published a detailed report about the vulnerability, including the employed methodology, quantified findings, and recommendations for Jupyter Notebook server users to secure current and future deployments. As always, should you have any questions about the employed methodologies, data, or results, please do not hesitate to contact us.
Download “Jupyter Descending,” a DataGravity research report, to learn how to protect your organization from this vulnerability.
This post originally appeared on the DataGravity blog.
Machine Learning Engineering Manager at Canva
7 年Hi Andrew, Is the threat relevant to stand alone Jupyter notebooks(available on localhost) on machines connected to the internet? What about the JupyterHub that requires user authentication? Also, I was not able to access the report using the link provided? Is there a place I could access the report?
Information Security Leader President, ISSA International
8 年Great find Andrew!