CVE-2023-48022

Advisory

Ray allows a remote attacker to execute arbitrary code via the job submission API. In the default configuration, Ray does not enforce authentication. As a result, attackers may freely submit jobs, delete existing jobs, retrieve sensitive information, and exploit the other vulnerabilities described in this advisory. While the Ray documentation included an optional mutual TLS authentication mode, Ray does not appear to support an authorization model. In other words, even if a Ray administrator explicitly enabled TLS authentication, they would be unable to grant users different permissions, such as read-only access to the Ray Dashboard.
The most direct method of exploitation discovered is to submit arbitrary operating system commands for execution via the job submission API using a raw HTTP request or the Ray Jobs Python SDK. These do not require authentication in the default configuration, and are accessible remotely to any system with access to the Ray Dashboard (TCP port 8265 by default).
NOTE: The vendor's position is that this report is irrelevant because Ray, as stated in its documentation, is not intended for use outside of a strictly controlled network environment.
NOTE2: This flaw has been under active exploitation in the wild and it was baptized 'ShadowRay'.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

This vulnerability has no description

Resources

• https://bishopfox.com/blog/ray-versions-2-6-3-2-8-0
• https://docs.ray.io/en/latest/ray-security/index.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-48022
• https://www.oligo.security/blog/shadowray-attack-ai-workloads-actively-exploited-in-the-wild