Jupyter’s role in #ChaosDB
On August 26 it was revealed that a misconfiguration in Microsoft’s internal deployment of CosmosDB using Jupyter would allow attackers to access all customer data. Fortunately, they report no evidence that customer data was compromised.
Nonetheless, articles onlines, like Ars Technica’s and Reuter’s have strong headlines associated Jupyter, for example “Worst cloud vulnerability you can imagine.”
This can be especially alarming for our community as no details on the vulnerability have been released yet, and members of our community wonder about Jupyter’s possible role in this vulnerability.
What the Jupyter team knows
We learned about the CosmoDB vulnerability at the same time as everyone else; we had no prior notice, and received no privileged communication about this issue. We have not seen any evidence suggesting this relates to a vulnerability in Jupyter itself, as opposed to a misconfiguration of Microsoft’s internal services.
We also had no prior interaction with the Microsoft team about their internal Jupyter deployment in CosmoDB.
From the descriptions posted by Wiz and Microsoft, there is no suggestion of any vulnerability in Jupyter itself, and rather expect that Jupyter was used as convenient shell to exploit a vulnerability in the configuration of Microsoft’s internal services, but we have no information beyond what is publicly available to support that claim.
What are we doing internally
Even if Jupyter does not have a vulnerability to fix, it is often possible for us to warn end users when risky configurations options are set. For example, if you try to login to JupyterHub over a non https connections, you will a see a warning.
We are preparing for the full information release of #ChaosDB details, to see if there are any relevant safeguards and warnings to implement on the Jupyter side. We are also trying to reach the involved Microsoft Security Team personally to know whether there are steps we can take before public disclosure.
In the meantime you can contribute and get involved:
- The security working group meets every other Friday. You can follow and open issues the repository for public questions and meeting minutes.
- You can send your questions and concerns about security to security@ipython.org to reach out to our security team.
We always welcome feedback, questions, and help regarding security in Jupyter.
