-
Notifications
You must be signed in to change notification settings - Fork 14
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
41 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,41 @@ | ||
| --- | ||
| title: "Security report for jupyter-server-proxy: CVE-2024-28179" | ||
| subtitle: "" | ||
| summary: "" | ||
| authors: ["Chris Holdgraf"] | ||
| tags: [] | ||
| categories: [engineering, partnerships, updates] | ||
| date: 2024-03-19 | ||
| lastmod: 2024-03-19 | ||
| featured: false | ||
| draft: false | ||
| --- | ||
|
|
||
| ## What happened? | ||
|
|
||
| A few weeks ago, the JupyterHub team discovered a security vulnerability in [the `jupyter-server-proxy` tool](https://jupyter-server-proxy.readthedocs.io/en/latest/) that would allow potential unauthenticated access to a JupyterHub via WebSockets, allowing unauthenticated users to run arbitrary code on the JupyterHub. | ||
| `jupyter-server-proxy` is used by many communities to provide alternative user interfaces like RStudio and remote desktops. | ||
|
|
||
| This vulnerability was detected by the JupyterHub team, with leadership from 2i2c's engineers. It was resolved through upstream contributions to the JupyterHub project, and we have pushed a fix to all of 2i2c's community hubs. Longer-term, we are working on some more improvements to ensure this fix persists at the level of individual commmunity images. | ||
|
|
||
| ## Does this impact my 2i2c community hub? | ||
|
|
||
| We do not believe that any of 2i2c's communities were impacted by this vulnerability, and a patch has now been pushed to all community hubs to resolve this issue. | ||
|
|
||
| If your community was vulnerable to this problem, you might experience slightly slower startup latency while we work out a long-term solution. | ||
|
|
||
| ## Where can I learn more? | ||
|
|
||
| See [the JupyterHub security advisory for CVE-2024-28179](https://github.com/jupyterhub/jupyter-server-proxy/security/advisories/GHSA-w3vc-fx9p-wp4vFor) for more information about the security vulnerability. | ||
|
|
||
| ## Conclusion | ||
|
|
||
| We're grateful that the JupyterHub community was quick to acknowledge, respond, and resolve this security vulnerability after it was brought to their attention. | ||
| We're also proud that 2i2c's engineers helped the JupyterHub team throughout the process. | ||
|
|
||
| This allowed our team to resolve the problem before it impacted any of 2i2c's communities. | ||
| Because 2i2c community infrastructure is managed in a central location, we were able to resolve this for over 80 communities with a single team rather than expecting each community to learn about and fix this problem on their own. | ||
|
|
||
| We also believe this reflects the healthy upstream relationships that we hope to encourage with our team's [Open Source strategy and practices](https://compass.2i2c.org/open-source/). | ||
| By working with the JupyterHub community and pushing changes upstream, we've resolved this issue for _any_ user of `jupyter-server-proxy`, not just 2i2c's own ecosystem. | ||
| We believe this leads to a healthier, safer ecosystem of open source tools ❤️. |