Apache MXNet Vulnerability: Unintended Exposure of Clustered Setup

Apache MXNet Vulnerability: Unintended Exposure of Clustered Setup

CVE-2018-1281 · MEDIUM Severity

AV:N/AC:L/AU:S/C:P/I:N/A:N

The clustered setup of Apache MXNet allows users to specify which IP address and port the scheduler will listen on via the DMLC_PS_ROOT_URI and DMLC_PS_ROOT_PORT env variables. In versions older than 1.0.0, however, the MXNet framework will listen on 0.0.0.0 rather than user specified DMLC_PS_ROOT_URI once a scheduler node is initialized. This exposes the instance running MXNet to any attackers reachable via the interface they didn't expect to be listening on. For example: If a user wants to run a clustered setup locally, they may specify to run on 127.0.0.1. But since MXNet will listen on 0.0.0.0, it makes the port accessible on all network interfaces.

Learn more about our Cis Benchmark Audit For Apache Http Server.