You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@zeppelin.apache.org by "Ben Lincoln (JIRA)" <ji...@apache.org> on 2019/05/22 17:39:00 UTC

[jira] [Created] (ZEPPELIN-4166) Zeppelin listens on all interfaces by default, with anonymous access

Ben Lincoln created ZEPPELIN-4166:
-------------------------------------

             Summary: Zeppelin listens on all interfaces by default, with anonymous access
                 Key: ZEPPELIN-4166
                 URL: https://issues.apache.org/jira/browse/ZEPPELIN-4166
             Project: Zeppelin
          Issue Type: Bug
    Affects Versions: 0.8.1
         Environment: Apache Zeppelin 0.8.1 on Mac OS and Linux (probably other platforms as well).
            Reporter: Ben Lincoln


If a user follows the quickstart instructions for Zeppelin ([https://zeppelin.apache.org/docs/latest/quickstart/install.html]), they will end up with a network service listening on their machine which is:

1 - Accessible remotely, because the service listens on all interfaces by default (tested on MacOS and Linux).

2 - Accessible anonymously. Other documents mention the optional Shiro configuration, but this is not referenced in the quickstart, and not part of the default configuration.

3 - Capable of arbitrary code execution on the host where it is running.

This seems exceedingly dangerous.

I would strongly recommend:

a - Bind only to the loopback interface by default.

b - Require authentication by default. At a minimum, the Shiro documentation should be mentioned in the quickstart guide.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)