Security News > 2024 > March > Hackers exploit Ray framework flaw to breach servers, hijack resources
Ray is an open-source framework developed by Anyscale that is used to scale AI and Python applications across a cluster of machines for distributed computational workloads.
In November 2023, Anyscale disclosed five Ray vulnerabilities, fixing four tracked as CVE-2023-6019, CVE-2023-6020, CVE-2023-6021, and CVE-2023-48023.
"The remaining CVE - that Ray does not have authentication built in - is a long-standing design decision based on how Ray's security boundaries are drawn and consistent with Ray deployment best practices, though we intend to offer authentication in a future version as part of a defense-in-depth strategy," reads the AnyScale security advisory.
Specifically, Anyscale stated that the flaw is exploitable only in deployments that violated the recommendations in the project's documentation to limit Ray's use in a strictly controlled network environment.
Following these discoveries, Oligo says they alerted many companies that were breached using the Ray bug and provided assistance with remediation.
To secure Ray deployments, it's crucial to operate within a secured environment by enforcing firewall rules, adding authorization to the Ray Dashboard port, and continuously monitoring for anomalies.
News URL
Related news
- Hackers exploit Cityworks RCE bug to breach Microsoft IIS servers (source)
- Hackers steal ZAGG customers' credit cards in third-party breach (source)
- Hackers exploit Four-Faith router flaw to open reverse shells (source)
- Hackers exploit KerioControl firewall flaw to steal admin CSRF tokens (source)
- Hackers Exploit Aviatrix Controller Vulnerability to Deploy Backdoors and Crypto Miners (source)
- Hackers exploit critical Aviatrix Controller RCE flaw in attacks (source)
- HPE investigates breach as hacker claims to steal source code (source)
- Hackers Exploit Zero-Day in cnPilot Routers to Deploy AIRASHI DDoS Botnet (source)
- Hackers exploit 16 zero-days on first day of Pwn2Own Automotive 2025 (source)
- CISA: Hackers still exploiting older Ivanti bugs to breach networks (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-11-28 | CVE-2023-48023 | Server-Side Request Forgery (SSRF) vulnerability in Anyscale RAY 2.6.3/2.8.0 Anyscale Ray 2.6.3 and 2.8.0 allows /log_proxy SSRF. | 9.1 |
| 2023-11-16 | CVE-2023-6020 | Unspecified vulnerability in RAY Project RAY LFI in Ray's /static/ directory allows attackers to read any file on the server without authentication. | 7.5 |
| 2023-11-16 | CVE-2023-6021 | Path Traversal vulnerability in RAY Project RAY LFI in Ray's log API endpoint allows attackers to read any file on the server without authentication. | 7.5 |
| 2023-11-16 | CVE-2023-6019 | Unspecified vulnerability in RAY Project RAY A command injection existed in Ray's cpu_profile URL parameter allowing attackers to execute os commands on the system running the ray dashboard remotely without authentication. | 9.8 |