Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upcoming blog post #225

Closed
wants to merge 1 commit into from
Closed

Upcoming blog post #225

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
41 changes: 41 additions & 0 deletions content/blog/2024/cve-kubernetes-vulnerability/index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
---
title: "Security report for jupyter-server-proxy: CVE-2024-28179"
subtitle: ""
summary: ""
authors: ["Chris Holdgraf"]
tags: []
categories: [engineering, partnerships, updates]
date: 2024-03-19
lastmod: 2024-03-19
featured: false
draft: false
---

## What happened?

A few weeks ago, the JupyterHub team discovered a security vulnerability in [the `jupyter-server-proxy` tool](https://jupyter-server-proxy.readthedocs.io/en/latest/) that would allow potential unauthenticated access to a JupyterHub via WebSockets, allowing unauthenticated users to run arbitrary code on the JupyterHub.
`jupyter-server-proxy` is used by many communities to provide alternative user interfaces like RStudio and remote desktops.

This vulnerability was detected by the JupyterHub team, with leadership from 2i2c's engineers. It was resolved through upstream contributions to the JupyterHub project, and we have pushed a fix to all of 2i2c's community hubs. Longer-term, we are working on some more improvements to ensure this fix persists at the level of individual commmunity images.

## Does this impact my 2i2c community hub?

We do not believe that any of 2i2c's communities were impacted by this vulnerability, and a patch has now been pushed to all community hubs to resolve this issue.

If your community was vulnerable to this problem, you might experience slightly slower startup latency while we work out a long-term solution.

## Where can I learn more?

See [the JupyterHub security advisory for CVE-2024-28179](https://github.com/jupyterhub/jupyter-server-proxy/security/advisories/GHSA-w3vc-fx9p-wp4vFor) for more information about the security vulnerability.

## Conclusion

We're grateful that the JupyterHub community was quick to acknowledge, respond, and resolve this security vulnerability after it was brought to their attention.
We're also proud that 2i2c's engineers helped the JupyterHub team throughout the process.

This allowed our team to resolve the problem before it impacted any of 2i2c's communities.
Because 2i2c community infrastructure is managed in a central location, we were able to resolve this for over 80 communities with a single team rather than expecting each community to learn about and fix this problem on their own.

We also believe this reflects the healthy upstream relationships that we hope to encourage with our team's [Open Source strategy and practices](https://compass.2i2c.org/open-source/).
By working with the JupyterHub community and pushing changes upstream, we've resolved this issue for _any_ user of `jupyter-server-proxy`, not just 2i2c's own ecosystem.
We believe this leads to a healthier, safer ecosystem of open source tools ❤️.
Loading