Re: [External] : [DISCUSS] Shell interpreter

[Michiel Haisma]

Hello Everyone,

As we all know, Apache Zeppelin is, by design, a remote code execution 
platform. There are some cases where this does not apply, but for a lot of 
script-style interpreters, the whole point is for the user to run code on the 
server. If there is a problem with the shell interpreter, there is also one 
with python, java, and many others. And this is the same for Jupyter, by the 
way.

If someone files a bug with 'I can run shell, it's a vulnerability' when using 
shell interpreter, it seems to be they are not properly aware of the intended 
use of the system, and the documentation around this may need to be pushed more 
in front so they are aware.

Alternative would be to rm -rf​ all script interpreters? Which would defeat 
most of the purpose of the platform.

My suggestion would be to contest the CVE, works as expected and republish 
shell interpreter.

Cheers,

Michiel

From: Jongyoul Lee 
Sent: Thursday, April 11, 2024 11:39
To: users ; dev 
Subject: [External] : [DISCUSS] Shell interpreter

Hello,

I want to discuss Shell interpreter issue with you.

For your information, we had a security report using Shell interpreter to 
execute malicious code with a system account. As you know, it's a kind of 
characteristic of Apache Zeppelin but some contributors including me thought it 
was too risky even if it's a feature. Moreover, I thought that we had some 
workarounds to do similar executions.

However, after releasing it, there were many questions via several channels 
about the deprecation of Shell interpreter.

I would like to follow the community's decision. For one more piece of 
information, we already have a security page to warn the code execution feature 
so we can keep the Shell interpreter without any further treatment.

Could you please give me your opinion on this?

If we conclude keeping it, I'll release a new release of 0.11.2 including Shell 
interpreter again.

Best regards,
Jongyoul Lee

Re: CVE-2020-13929: Apache Zeppelin: Notebook permissions bypass

[Michiel Haisma]

Hi Jeff, others,

Can you please provide additional information regarding this vulnerability. 
Please include the following information:

 * Technical description of vulnerability, how users determine whether they are 
impacted. Maybe this is satisfied by one of the following items:
 * Relevant issue in Zeppelin Jira issue tracker.
 * Link to pull request or commit containing the fix.
 * List of released versions containing the fix.

I would also highly suggest providing these additional details in one of the 
vulnerability databases (e.g. https://nvd.nist.gov/vuln/detail/CVE-2020-13929) 
so that users have a better understanding of the impact and solutions.

Many thanks,

Michiel

On 2021/09/02 16:02:16, Jeff Zhang  wrote:
> Severity: critical>
>
> Description:>
>
> Authentication bypass vulnerability in Apache Zeppelin allows an attacker to 
> bypass Zeppelin authentication mechanism to act as another user. This issue 
> affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions.>
>
> Credit:>
>
> Apache Zeppelin would like to thank David Woodhouse for reporting this issue >
>
>

Re: CVE-2021-27578: Apache Zeppelin: Cross Site Scripting in markdown interpreter

[Michiel Haisma]

Hi Jeff, others,

Can you please provide additional information regarding this vulnerability. 
Please include the following information:

 * Technical description of vulnerability, how users determine whether they are 
impacted. Maybe this is satisfied by one of the following items:
 * Relevant issue in Zeppelin Jira issue tracker.
 * Link to pull request or commit containing the fix.
 * List of released versions containing the fix.

I would also highly suggest providing these additional details in one of the 
vulnerability databases (e.g. https://nvd.nist.gov/vuln/detail/CVE-2021-27578) 
so that users have a better understanding of the impact and solutions.
[https://nvd.nist.gov/site-media/images/NVD_NVD_Stack_Plain.svg]
NVD - CVE-2021-27578
This vulnerability is currently undergoing analysis and not all information is 
available. Please check back soon to view the completed vulnerability summary. 
Cross Site Scripting vulnerability in markdown interpreter of Apache Zeppelin 
allows an attacker to inject malicious scripts. This issue ...
nvd.nist.gov
Many thanks,

Michiel

On 2021/09/02 16:07:42, Jeff Zhang  wrote:
> Description:>
>
> Cross Site Scripting vulnerability in markdown interpreter of Apache Zeppelin 
> allows an attacker to inject malicious scripts. This issue affects Apache 
> Zeppelin Apache Zeppelin versions prior to 0.9.0.>
>
> Credit:>
>
> Apache Zeppelin would like to thank Paulo Pacheco for reporting this issue >
>
>

Re: CVE-2019-10095: Apache Zeppelin: bash command injection in spark interpreter

[Michiel Haisma]

Hi Jeff, others,

Can you please provide additional information regarding this vulnerability. 
Please include the following information:

 * Technical description of vulnerability, how users determine whether they are 
impacted. Maybe this is satisfied by one of the following items:
 * Relevant issue in Zeppelin Jira issue tracker.
 * Link to pull request or commit containing the fix.
 * List of released versions containing the fix.

I would also highly suggest providing these additional details in one of the 
vulnerability databases (e.g. https://nvd.nist.gov/vuln/detail/CVE-2019-10095) 
so that users have a better understanding of the impact and solutions.
NVD - CVE-2019-10095
NVD Analysts use publicly available information to associate vector strings and 
CVSS scores. We also display any CVSS information provided within the CVE List 
from the CNA.
nvd.nist.gov

Many thanks,

Michiel

On 2021/09/02 15:56:50, Jeff Zhang  wrote:
> Description:>
>
> bash command injection vulnerability in Apache Zeppelin allows an attacker to 
> inject system commands into Spark interpreter settings. This issue affects 
> Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions.>
>
> Credit:>
>
> Apache Zeppelin would like to thank HERE Security team for reporting this 
> issue >
>
>