CVE-2022-24758: Critical Jupyter Notebook Security Vulnerability Lets Attackers Access Sensitive Server Log Information
Jupyter Notebooks are interactive web-based environments used extensively for data science, machine learning, and other computational research purposes. The Jupyter server enables users to create, manage, and share documents containing live code, equations, visualizations, and narrative text. However, a recent vulnerability has been discovered in Jupyter Notebook versions before 6.4.9. This vulnerability, tagged as CVE-2022-24758, allows unauthorized actors to access sensitive information from server logs, posing a significant security risk.
Vulnerability Details
The vulnerability exists due to the way the Jupyter server logs certain 5xx error events. When a web client triggers a 5xx error, the server logs the authentication cookie and other header values by default. These logs do not require root access, making it relatively straightforward for an attacker to monitor these logs, steal authentication and cookie information, and gain unauthorized access to the Jupyter server.
Here's a code snippet example showing how Jupyter server logs 5xx error events
def log_request(self, handler):
"""Log the request"""
if handler.get_status() < 400:
log_method = self.log.info
elif handler.get_status() < 500:
log_method = self.log.warning
else:
log_method = self.log.error
log_method(
"5xx ERROR",
extra={
"statusCode": handler.get_status(),
"request_info": handler.request,
"headers": handler.request.headers,
"cookies": handler.request.cookies,
},
)
log_method("200 GET / (127...1)")
Notice the log_method function, which logs the "5xx ERROR" string along with the request status code, request information, headers, and cookies. These log entries are accessible to any user with access to the Jupyter server logs.
Exploit Details
An attacker can exploit this vulnerability by triggering 5xx errors on a vulnerable Jupyter server and then monitoring the logs for sensitive data. Once the attacker gathers the necessary auth/cookie information, they can use this data to gain unauthorized access to the Jupyter server, potentially compromising valuable research information, intellectual property, or personal identification data.
You can find more detailed information about this vulnerability in the official Jupyter security advisory:
https://github.com/jupyter/jupyter_core/security/advisories/GHSA-82hx-2wgg-5r4f
Remediation
To mitigate this vulnerability, users should upgrade their Jupyter Notebook installations to version 6.4.9 or later. The patch for this issue is included in the updated versions, which no longer log auth cookie and header values during 5xx error events.
You can find the updated Jupyter Notebook version on the official repository
https://github.com/jupyter/notebook/releases/tag/v6.4.9
There are currently no known workarounds for this vulnerability.
Conclusion
The CVE-2022-24758 vulnerability poses a significant risk to Jupyter Notebook users by allowing unauthorized actors to access sensitive information from server logs. Understanding the details of this vulnerability and the risks it poses is crucial to protect your intellectual property and user data. Ensure that your Jupyter Notebook environment is updated to the latest version to secure your interactive computing work in progress.
Timeline
Published on: 03/31/2022 23:15:00 UTC
Last modified on: 04/08/2022 16:28:00 UTC