Ben Lincoln created ZEPPELIN-4166:
-------------------------------------
Summary: Zeppelin listens on all interfaces by default, with
anonymous access
Key: ZEPPELIN-4166
URL: https://issues.apache.org/jira/browse/ZEPPELIN-4166
Project: Zeppelin
Issue Type: Bug
Affects Versions: 0.8.1
Environment: Apache Zeppelin 0.8.1 on Mac OS and Linux (probably other
platforms as well).
Reporter: Ben Lincoln
If a user follows the quickstart instructions for Zeppelin
([https://zeppelin.apache.org/docs/latest/quickstart/install.html]), they will
end up with a network service listening on their machine which is:
1 - Accessible remotely, because the service listens on all interfaces by
default (tested on MacOS and Linux).
2 - Accessible anonymously. Other documents mention the optional Shiro
configuration, but this is not referenced in the quickstart, and not part of
the default configuration.
3 - Capable of arbitrary code execution on the host where it is running.
This seems exceedingly dangerous.
I would strongly recommend:
a - Bind only to the loopback interface by default.
b - Require authentication by default. At a minimum, the Shiro documentation
should be mentioned in the quickstart guide.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
