You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@zeppelin.apache.org by "Ben Lincoln (JIRA)" <ji...@apache.org> on 2019/05/22 17:39:00 UTC
[jira] [Created] (ZEPPELIN-4166) Zeppelin listens on all interfaces
by default, with anonymous access
Ben Lincoln created ZEPPELIN-4166:
-------------------------------------
Summary: Zeppelin listens on all interfaces by default, with anonymous access
Key: ZEPPELIN-4166
URL: https://issues.apache.org/jira/browse/ZEPPELIN-4166
Project: Zeppelin
Issue Type: Bug
Affects Versions: 0.8.1
Environment: Apache Zeppelin 0.8.1 on Mac OS and Linux (probably other platforms as well).
Reporter: Ben Lincoln
If a user follows the quickstart instructions for Zeppelin ([https://zeppelin.apache.org/docs/latest/quickstart/install.html]), they will end up with a network service listening on their machine which is:
1 - Accessible remotely, because the service listens on all interfaces by default (tested on MacOS and Linux).
2 - Accessible anonymously. Other documents mention the optional Shiro configuration, but this is not referenced in the quickstart, and not part of the default configuration.
3 - Capable of arbitrary code execution on the host where it is running.
This seems exceedingly dangerous.
I would strongly recommend:
a - Bind only to the loopback interface by default.
b - Require authentication by default. At a minimum, the Shiro documentation should be mentioned in the quickstart guide.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)