Operating System:

[Ubuntu]

Published:

31 August 2022

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2022.4276
               USN-5585-1: Jupyter Notebook vulnerabilities
                              31 August 2022

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Jupyter Notebook
Publisher:         Ubuntu
Operating System:  Ubuntu
Resolution:        Patch/Upgrade
CVE Names:         CVE-2022-29238 CVE-2022-24758 CVE-2020-26215
                   CVE-2019-10856 CVE-2019-10255 CVE-2019-9644
                   CVE-2018-21030 CVE-2018-19351 

Original Bulletin: 
   https://ubuntu.com/security/notices/USN-5585-1

Comment: CVSS (Max):  7.5* CVE-2022-24758 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
         CVSS Source: NVD
         Calculator:  https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
         * Not all CVSS available when published

- --------------------------BEGIN INCLUDED TEXT--------------------

USN-5585-1: Jupyter Notebook vulnerabilities
30 August 2022

Several security issues were fixed in Jupyter Notebook.
Releases

  o Ubuntu 22.04 LTS
  o Ubuntu 20.04 LTS
  o Ubuntu 18.04 LTS

Packages

  o jupyter-notebook - Jupyter interactive notebook

Details

It was discovered that Jupyter Notebook incorrectly handled certain notebooks.
An attacker could possibly use this issue of lack of Content Security Policy
in Nbconvert to perform cross-site scripting (XSS) attacks on the notebook
server. This issue only affected Ubuntu 18.04 LTS. ( CVE-2018-19351 )

It was discovered that Jupyter Notebook incorrectly handled certain SVG
documents. An attacker could possibly use this issue to perform cross-site
scripting (XSS) attacks. This issue only affected Ubuntu 18.04 LTS.
( CVE-2018-21030 )

It was discovered that Jupyter Notebook incorrectly filtered certain URLs on
the login page. An attacker could possibly use this issue to perform
open-redirect attack. This issue only affected Ubuntu 18.04 LTS.
( CVE-2019-10255 )

It was discovered that Jupyter Notebook had an incomplete fix for
CVE-2019-10255 . An attacker could possibly use this issue to perform
open-redirect attack using empty netloc. ( CVE-2019-10856 )

It was discovered that Jupyter Notebook incorrectly handled the inclusion of
remote pages on Jupyter server. An attacker could possibly use this issue to
perform cross-site script inclusion (XSSI) attacks. This issue only affected
Ubuntu 18.04 LTS. ( CVE-2019-9644 )

It was discovered that Jupyter Notebook incorrectly filtered certain URLs to a
notebook. An attacker could possibly use this issue to perform open-redirect
attack. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.
( CVE-2020-26215 )

It was discovered that Jupyter Notebook server access logs were not protected.
An attacker having access to the notebook server could possibly use this issue
to get access to steal sensitive information such as auth/cookies.
( CVE-2022-24758 )

It was discovered that Jupyter Notebook incorrectly configured hidden files on
the server. An authenticated attacker could possibly use this issue to see
unwanted sensitive hidden files from the server which may result in getting
full access to the server. This issue only affected Ubuntu 20.04 LTS and
Ubuntu 22.04 LTS. ( CVE-2022-29238 )

Update instructions

The problem can be corrected by updating your system to the following package
versions:

Ubuntu 22.04

  o python3-notebook - 6.4.8-1ubuntu0.1
  o jupyter-notebook - 6.4.8-1ubuntu0.1

Ubuntu 20.04

  o python3-notebook - 6.0.3-2ubuntu0.1
  o jupyter-notebook - 6.0.3-2ubuntu0.1

Ubuntu 18.04

  o python3-notebook - 5.2.2-1ubuntu0.1
  o python-notebook - 5.2.2-1ubuntu0.1
  o jupyter-notebook - 5.2.2-1ubuntu0.1

In general, a standard system update will make all the necessary changes.

References

  o CVE-2022-24758
  o CVE-2019-9644
  o CVE-2022-29238
  o CVE-2018-21030
  o CVE-2020-26215
  o CVE-2019-10856
  o CVE-2019-10255
  o CVE-2018-19351

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/

iQIVAwUBYw6r4MkNZI30y1K9AQjsyxAAnJRiH9/Fyka6R5QvbQOlW+YIiH58gjIt
RYQ0jx5LcsnoHVwRJCxnRNVloNblH1SQbC3SddsXTXieyuZ5et8xcmqNdyO5NKLs
U1KpUOe4F0TBGM8gn6bzZVAMstRAyZvxgTrnSq3WMO8jDylygqnNUZiz3i/7CscJ
UvKYqemcUSkVkrjRCyH70DgMifxv/pwskE9FjL+vETlAfoCiOcEBlb5LaCTMf5lS
vQe0/UIzJdY2PXiV2Me5/H5zLdZ9NUzWwWIjK9zOR03T3MElPBv7bW4LhjOcbQDY
P4DRBzv7DJwvB//06N5xkIo/XpjkNsGvrEfiWmXECpFvcFZyJbYZrsw/Md5D6W6F
QFyAEnKsxCsDq8H2W3iK94Qdn4YIhX4gf4OamG1p90++xyjIAToWv+ygyT9HmX0B
DDbdpgihzLcEflivjn83ufn0JkJ1G+A7a3awNXg/FNulerW276F9hH7W2Yz1mKrY
yObZqG3i3TAFer33KMeWsis/NTKGEVrxGndEo/Tr65ehXeLpvY0KLqkI7Rf8lu8o
NOjbPLDphero5lPAo5mg+GLld1w/BCpXsXKDHDgm2iurYnIWlPuipzruwHeZ4g5U
GZthE9rLwiTutIF/2LLy4oQh+L8h923UpoiMNNzBJSxbRwUDEtAsePknzQsX+Khn
jU1lI7pK8IY=
=686f
-----END PGP SIGNATURE-----