Jupyter Notebooks unwittingly open huge server security hole
Many individuals rely on Jupyter Notebooks to learn new programming languages, build proof-of-concept tools and interactively analyze data. But what happens when security rigor is sacrificed in favor of standing up a notebook server as quickly as possible? Unfortunately, as you will learn, easily preventable security configurations are overlooked and serious security vulnerabilities are made available for attackers to exploit.
In December 2016, research by DataGravity discovered more than 350 internet-facing Jupyter Notebook servers providing unauthenticated access to Jupyter’s web user interface and its associated command line shell interface. Default installations of Jupyter Notebook servers, prior to version 4.3, do not offer any default security mechanisms to prevent full unauthenticated access to the notebook web interface. From the web interface, an attacker can exploit three trivial vectors to gain full interaction with the target system with the permissions of the user that started the notebook server.
These vectors were reported on December 13, 2016, via the Common Vulnerabilities and Exposures (CVE®) system and were granted CVE-2016-9970 as the associated identifier. The vulnerable systems span popular cloud hosting providers, traditional brick-and-mortar hosting facilities, telecommunications companies, and educational institutions hosted in countries around the world – including China, Japan, Iran and the U.S.
Today, DataGravity has published a detailed report about the vulnerability, including the employed methodology, quantified findings, and recommendations for Jupyter Notebook server users to secure current and future deployments. As always, should you have any questions about the employed methodologies, data, or results, please do not hesitate to contact us.
Download “Jupyter Descending,” a DataGravity research report, to learn how to protect your organization from this vulnerability.Like This