GHSA-hwqr-f3v9-hwxr.json.yaml
1 info: 2 name: dask 3 cve: CVE-2021-42343 4 summary: 本地 Dask 集群的工作进程错误地监听了公共接口。 5 details: | 6 `distributed` 的 `2021.10.0` 之前的版本存在一个与单机 Dask 集群相关的潜在安全漏洞。 7 使用 `dask.distributed.LocalCluster` 或 `dask.distributed.Client()` 启动的集群会错误地将其各自的 Dask worker 配置为监听外部接口,而不是仅监听 `localhost`。通过这种方法创建的 Dask 集群,如果运行在暴露了这些端口的机器上,可能会被高明的攻击者利用,从而实现远程代码执行。 8 cvss: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 9 severity: CRITICAL 10 security_advise: | 11 1. 将 `distributed` 升级到 `2021.10.0` 或更高版本。 12 2. 确保已设置标准防火墙以限制对 Dask worker 端口的访问。 13 3. 如果使用 `LocalCluster`,请验证 worker 是否仅绑定到 `localhost`。 14 rule: version > "0" && version < "2021.10.0" 15 references: 16 - https://github.com/dask/distributed/security/advisories/GHSA-hwqr-f3v9-hwxr 17 - https://github.com/dask/distributed/pull/5427 18 - https://github.com/dask/distributed/commit/afce4be8e05fb180e50a9d9e38465f1a82295e1b 19 - https://docs.dask.org/en/latest/changelog.html 20 - https://github.com/advisories/GHSA-j8fq-86c5-5v2r 21 - https://github.com/dask/dask/tags 22 - https://github.com/dask/distributed 23 - https://github.com/pypa/advisory-database/tree/main/vulns/distributed/PYSEC-2021-871.yaml 24 - https://github.com/pypa/advisory-database/tree/main/vulns/distributed/PYSEC-2021-872.yaml