CVE-2022-24758: Critical Jupyter Notebook Security Vulnerability Lets Attackers Access Sensitive Server Log Information

Jupyter Notebooks are interactive web-based environments used extensively for data science, machine learning, and other computational research purposes. The Jupyter server enables users to create, manage, and share documents containing live code, equations, visualizations, and narrative text. However, a recent vulnerability has been discovered in Jupyter Notebook versions before 6.4.9. This vulnerability, tagged as CVE-2022-24758, allows unauthorized actors to access sensitive information from server logs, posing a significant security risk.

Vulnerability Details

The vulnerability exists due to the way the Jupyter server logs certain 5xx error events. When a web client triggers a 5xx error, the server logs the authentication cookie and other header values by default. These logs do not require root access, making it relatively straightforward for an attacker to monitor these logs, steal authentication and cookie information, and gain unauthorized access to the Jupyter server.

Here's a code snippet example showing how Jupyter server logs 5xx error events

def log_request(self, handler):
    """Log the request"""
    if handler.get_status() < 400:
        log_method = self.log.info
    elif handler.get_status() < 500:
        log_method = self.log.warning
    else:
        log_method = self.log.error
        log_method(
            "5xx ERROR",
            extra={
                "statusCode": handler.get_status(),
                "request_info": handler.request,
                "headers": handler.request.headers, 
                "cookies": handler.request.cookies,             
            },
        )
    log_method("200 GET / (127...1)")

Notice the log_method function, which logs the "5xx ERROR" string along with the request status code, request information, headers, and cookies. These log entries are accessible to any user with access to the Jupyter server logs.

Exploit Details

An attacker can exploit this vulnerability by triggering 5xx errors on a vulnerable Jupyter server and then monitoring the logs for sensitive data. Once the attacker gathers the necessary auth/cookie information, they can use this data to gain unauthorized access to the Jupyter server, potentially compromising valuable research information, intellectual property, or personal identification data.

You can find more detailed information about this vulnerability in the official Jupyter security advisory:
https://github.com/jupyter/jupyter_core/security/advisories/GHSA-82hx-2wgg-5r4f

Remediation

To mitigate this vulnerability, users should upgrade their Jupyter Notebook installations to version 6.4.9 or later. The patch for this issue is included in the updated versions, which no longer log auth cookie and header values during 5xx error events.

You can find the updated Jupyter Notebook version on the official repository

https://github.com/jupyter/notebook/releases/tag/v6.4.9

There are currently no known workarounds for this vulnerability.

Conclusion

The CVE-2022-24758 vulnerability poses a significant risk to Jupyter Notebook users by allowing unauthorized actors to access sensitive information from server logs. Understanding the details of this vulnerability and the risks it poses is crucial to protect your intellectual property and user data. Ensure that your Jupyter Notebook environment is updated to the latest version to secure your interactive computing work in progress.

Timeline

Published on: 03/31/2022 23:15:00 UTC
Last modified on: 04/08/2022 16:28:00 UTC