From 835f99c102b66a284490fd3e0b07fa228a22031e Mon Sep 17 00:00:00 2001 From: choldgraf Date: Tue, 19 Mar 2024 11:51:46 -0700 Subject: [PATCH] BLOG: CVE security post --- .../cve-kubernetes-vulnerability/index.md | 41 +++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 content/blog/2024/cve-kubernetes-vulnerability/index.md diff --git a/content/blog/2024/cve-kubernetes-vulnerability/index.md b/content/blog/2024/cve-kubernetes-vulnerability/index.md new file mode 100644 index 000000000..d99a54dd7 --- /dev/null +++ b/content/blog/2024/cve-kubernetes-vulnerability/index.md @@ -0,0 +1,41 @@ +--- +title: "Security report for jupyter-server-proxy: CVE-2024-28179" +subtitle: "" +summary: "" +authors: ["Chris Holdgraf"] +tags: [] +categories: [engineering, partnerships, updates] +date: 2024-03-19 +lastmod: 2024-03-19 +featured: false +draft: false +--- + +## What happened? + +A few weeks ago, the JupyterHub team discovered a security vulnerability in [the `jupyter-server-proxy` tool](https://jupyter-server-proxy.readthedocs.io/en/latest/) that would allow potential unauthenticated access to a JupyterHub via WebSockets, allowing unauthenticated users to run arbitrary code on the JupyterHub. +`jupyter-server-proxy` is used by many communities to provide alternative user interfaces like RStudio and remote desktops. + +This vulnerability was detected by the JupyterHub team, with leadership from 2i2c's engineers. It was resolved through upstream contributions to the JupyterHub project, and we have pushed a fix to all of 2i2c's community hubs. Longer-term, we are working on some more improvements to ensure this fix persists at the level of individual commmunity images. + +## Does this impact my 2i2c community hub? + +We do not believe that any of 2i2c's communities were impacted by this vulnerability, and a patch has now been pushed to all community hubs to resolve this issue. + +If your community was vulnerable to this problem, you might experience slightly slower startup latency while we work out a long-term solution. + +## Where can I learn more? + +See [the JupyterHub security advisory for CVE-2024-28179](https://github.com/jupyterhub/jupyter-server-proxy/security/advisories/GHSA-w3vc-fx9p-wp4vFor) for more information about the security vulnerability. + +## Conclusion + +We're grateful that the JupyterHub community was quick to acknowledge, respond, and resolve this security vulnerability after it was brought to their attention. +We're also proud that 2i2c's engineers helped the JupyterHub team throughout the process. + +This allowed our team to resolve the problem before it impacted any of 2i2c's communities. +Because 2i2c community infrastructure is managed in a central location, we were able to resolve this for over 80 communities with a single team rather than expecting each community to learn about and fix this problem on their own. + +We also believe this reflects the healthy upstream relationships that we hope to encourage with our team's [Open Source strategy and practices](https://compass.2i2c.org/open-source/). +By working with the JupyterHub community and pushing changes upstream, we've resolved this issue for _any_ user of `jupyter-server-proxy`, not just 2i2c's own ecosystem. +We believe this leads to a healthier, safer ecosystem of open source tools ❤️.