Network Exposure Vulnerability in Apache MXNet Clustered Setup
CVE-2018-1281

6.5MEDIUM

Key Information:

Vendor: Apache
Status: Apache Mxnet
Vendor: CVE Published:; 8 June 2018

Summary

The clustered setup of Apache MXNet permits the specification of an IP address and port for the scheduler through environment variables DMLC_PS_ROOT_URI and DMLC_PS_ROOT_PORT. In versions prior to 1.0.0, the framework defaults to listening on 0.0.0.0, regardless of the user-defined settings. This misconfiguration can inadvertently expose the MXNet instance to threats from unexpected external interfaces, potentially leading to unauthorized access and exploitation. To secure deployments, users should upgrade to at least version 1.0.0 and ensure that configuration settings are properly applied to limit network exposure.

Affected Version(s)

Apache MXNet versions older than 1.0.0

References

https://github.com/dmlc/ps-lite/commit/4be817e8b03e7e9251...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jun 8, 2018
Vulnerability Reserved
Dec 7, 2017