An issue was discovered in Dask (aka python-dask) through 2021.09.1. Single machine Dask clusters started with dask.distributed.LocalCluster or dask.distributed.Client (which defaults to using LocalCluster) would mistakenly configure their respective Dask workers to listen on external interfaces (typically with a randomly selected high port) rather than only on localhost. A Dask cluster created using this method (when running on a machine that has an applicable port exposed) could be used by a sophisticated attacker to achieve remote code execution.
These references aren't very useful, I can't tell if this is actually
in the changelog.
For the record, I think we're not affected since we lastrited distributed long time ago. However, I suppose some users may readd it locally.
I suspect the following commit in dask/distributed fixes it:
Author: Jim Crist-Harif <email@example.com>
Date: 2021-10-14 23:21:56 +0200
Pass `host` through `LocalCluster` to workers (#5427)
Previously the `host` parameter to `LocalCluster` would only be
forwarded to `Scheduler` instances and not `Worker`/`Nanny` instances,
leading to workers listening on non-localhost in some configurations.
This fixes that and adds a test.
Co-authored-by: James Bourbeau <firstname.lastname@example.org>
This is included in distributed 2021.10.0 but as I said, we don't package that anymore.
Thanks, this can be invalid then. I asked MITRE about the useless references anyway, but haven't gotten a response.