Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[DH-182] critical security update for ray #5238

Merged
merged 1 commit into from
Nov 28, 2023

Conversation

shaneknapp
Copy link
Contributor

there are three critical security issues in ray:
https://github.com/berkeley-dsep-infra/datahub/security/dependabot/73
https://github.com/berkeley-dsep-infra/datahub/security/dependabot/74
https://github.com/berkeley-dsep-infra/datahub/security/dependabot/75

we're on 1.3, we need to upgrade to at least 2.6. i'll go for latest (2.8).

this is pretty bad, so i'll shepherd this through and get it out today.

@balajialg @ryanlovett @felder

@shaneknapp shaneknapp changed the title critical update to ray [DH-182] critical security update for ray Nov 28, 2023
@ryanlovett
Copy link
Collaborator

This would be bad if remote users could access the ray user's server over the network. I don't know anything about ray, but in z2jh it is challenging for one user to open a port on their server that another user could access. (like, I think the user would have to install (into their own account) and enable a jupyter server extension which required no authentication) I don't think our users are able to talk to the cluster controller to create new pods or other k8s resources.

So while the ray issue might be critical and would make sense to update, it could also be impossible to exploit on the hubs.

@shaneknapp
Copy link
Contributor Author

This would be bad if remote users could access the ray user's server over the network. I don't know anything about ray, but in z2jh it is challenging for one user to open a port on their server that another user could access. (like, I think the user would have to install (into their own account) and enable a jupyter server extension which required no authentication) I don't think our users are able to talk to the cluster controller to create new pods or other k8s resources.

So while the ray issue might be critical and would make sense to update, it could also be impossible to exploit on the hubs.

i agree, though it is theoretically possible and could have potential impact in the form of an internal attack -- rather from the big scary internet at large. theoretically possible, but for sure: highly unlikely. :)

anyways, it's critical and should be updated regardless.

@shaneknapp shaneknapp merged commit 2287c12 into berkeley-dsep-infra:staging Nov 28, 2023
2 checks passed
@shaneknapp shaneknapp deleted the dependabot-ray branch November 28, 2023 23:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants