Jupyter Notebooks unwittingly open huge server security hole

Many individuals rely on Jupyter Notebooks to learn new programming languages, build proof-of-concept tools and interactively analyze data. But what happens when security rigor is sacrificed in favor of standing up a notebook server as quickly as possible? Unfortunately, as you will learn, easily preventable security configurations are overlooked and serious security vulnerabilities are made available for attackers to exploit.

In December 2016, research by DataGravity discovered more than 350 internet-facing Jupyter Notebook servers providing unauthenticated access to Jupyter’s web user interface and its associated command line shell interface. Default installations of Jupyter Notebook servers, prior to version 4.3, do not offer any default security mechanisms to prevent full unauthenticated access to the notebook web interface. From the web interface, an attacker can exploit three trivial vectors to gain full interaction with the target system with the permissions of the user that started the notebook server.

These vectors were reported on December 13, 2016, via the Common Vulnerabilities and Exposures (CVE®) system and were granted CVE-2016-9970 as the associated identifier. The vulnerable systems span popular cloud hosting providers, traditional brick-and-mortar hosting facilities, telecommunications companies, and educational institutions hosted in countries around the world – including China, Japan, Iran and the U.S.

Today, DataGravity has published a detailed report about the vulnerability, including the employed methodology, quantified findings, and recommendations for Jupyter Notebook server users to secure current and future deployments. As always, should you have any questions about the employed methodologies, data, or results, please do not hesitate to contact us.

Download “Jupyter Descending,” a DataGravity research report, to learn how to protect your organization from this vulnerability.

  Like This
Andrew Hay

Andrew Hay

With over 15 years of data security experience in various roles inside organizations as well as advising them, Andrew serves as the chief information security officer at DataGravity. He is responsible for the development and delivery of the company’s comprehensive data security strategy. Prior to DataGravity, Andrew was the director of research at OpenDNS (acquired by Cisco) and the director of applied security research and chief evangelist at CloudPassage.