November 28, 2023 at 05:08PM
Researchers have discovered three unpatched vulnerabilities in Ray, an open source framework used for scaling AI and machine learning workloads. These vulnerabilities could allow attackers to gain operating system access, execute remote code, and escalate privileges. Anyscale, the company that sells a managed version of Ray, has not yet addressed the flaws, stating that the vulnerabilities are not relevant due to Ray’s intended use in controlled network environments. The vulnerabilities can be easily exploited by attackers who have remote access to vulnerable component ports. Organizations that expose Ray to the internet or local network are at risk.
Meeting Notes Summary:
Researchers have identified three unpatched vulnerabilities in the open source framework Ray, which is used for scaling AI and machine learning workloads. These vulnerabilities allow attackers to gain operating system access, execute remote code, and escalate privileges within a Ray cluster. The flaws pose a threat to organizations that expose their Ray instances to the Internet or local networks. The vulnerabilities were reported by Bishop Fox to Anyscale, the company that sells a managed version of Ray, but Anyscale has not yet addressed the vulnerabilities. According to Anyscale’s documentation, Ray is intended for use in a controlled network environment and organizations should ensure network traffic between Ray components is isolated and protected by strict controls and authentication mechanisms. The vulnerabilities are easy to exploit and do not require high technical skills.