Anyscale Ray 2.6.3 and 2.8.0 allows a remote attacker to execute arbitrary code via the job submission API. NOTE: the vendors position is that this report is irrelevant because Ray, as stated in its documentation, is not intended for use outside of a strictly controlled network environment. (Also, within that environment, customers at version 2.52.0 and later can choose to use token authentication.)
Weakness
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Ray | Anyscale | 2.6.3 (including) | 2.6.3 (including) |
| Ray | Anyscale | 2.8.0 (including) | 2.8.0 (including) |
| Red Hat AI Inference Server 3.2 | RedHat | rhaiis/vllm-cuda-rhel9:sha256:bddcf7ab6d576572b6d60822c313ffebcd9869e4fde93e32ac327821f93cf32b | * |
| Red Hat AI Inference Server 3.2 | RedHat | rhaiis/vllm-rocm-rhel9:sha256:7856bdb7ae0d643a7b9362c164d4d4fe3c0c7186f5fff73a7ae9835b3df52e57 | * |
| Red Hat AI Inference Server 3.2 | RedHat | rhaiis/model-opt-cuda-rhel9:sha256:dce6b0ea03379bf06664a5200af8b5f5ae3fad13cdce6d21873843f22554800b | * |
Related Attack Patterns
References
- https://atlas.mitre.org/studies/AML.CS0023
- https://bishopfox.com/blog/ray-versions-2-6-3-2-8-0
- https://docs.ray.io/en/latest/ray-security/index.html
- https://docs.ray.io/en/latest/ray-security/token-auth.html
- https://www.vicarius.io/vsociety/posts/shadowray-cve-2023-48022-exploit
- https://bishopfox.com/blog/ray-versions-2-6-3-2-8-0
- https://docs.ray.io/en/latest/ray-security/index.html
- https://www.vicarius.io/vsociety/posts/shadowray-cve-2023-48022-exploit
- https://www.vicarius.io/vsociety/posts/the-story-of-shadowray-cve-2023-48022