Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
0.8.1
-
None
-
None
-
Apache Zeppelin 0.8.1 on Mac OS and Linux (probably other platforms as well).
Description
If a user follows the quickstart instructions for Zeppelin (https://zeppelin.apache.org/docs/latest/quickstart/install.html), they will end up with a network service listening on their machine which is:
1 - Accessible remotely, because the service listens on all interfaces by default (tested on MacOS and Linux).
2 - Accessible anonymously. Other documents mention the optional Shiro configuration, but this is not referenced in the quickstart, and not part of the default configuration.
3 - Capable of arbitrary code execution on the host where it is running.
This seems exceedingly dangerous.
I would strongly recommend:
a - Bind only to the loopback interface by default.
b - Require authentication by default. At a minimum, the Shiro documentation should be mentioned in the quickstart guide.
Attachments
Issue Links
- is related to
-
ZEPPELIN-4287 Remote Code Execution
- Resolved
- links to