CVE-2023-48023 – CVE-2023-48023 is a Server-Side Request Forgery... (How to Fix)

Q: What is the severity of CVE-2023-48023?

CVE-2023-48023 has a CVSS score of 9.1 (CRITICAL). CVE-2023-48023 is a Server-Side Request Forgery (SSRF) vulnerability in the /log_proxy endpoint of Anyscale Ray versions 2.6.3 and 2.8.0. This allows attackers to make unauthorized requests from the Ray server to internal network resources. Organizations using these Ray versions in any network environment are affected, though the vendor notes Ray is intended for controlled networks only.

📋 TL;DR

CVE-2023-48023 is a Server-Side Request Forgery (SSRF) vulnerability in the /log_proxy endpoint of Anyscale Ray versions 2.6.3 and 2.8.0. This allows attackers to make unauthorized requests from the Ray server to internal network resources. Organizations using these Ray versions in any network environment are affected, though the vendor notes Ray is intended for controlled networks only.

💻 Affected Systems

Products:

Anyscale Ray

Versions: 2.6.3 and 2.8.0

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the default configuration of affected versions. The vendor states Ray is designed for controlled network environments only.

📦 What is this software?

Ray by Anyscale

View all CVEs affecting Ray →

Ray by Anyscale

View all CVEs affecting Ray →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could access sensitive internal services, exfiltrate data, or pivot to other systems within the network.

🟠

Likely Case

Unauthorized access to internal HTTP/HTTPS services, potentially exposing metadata or limited internal resources.

🟢

If Mitigated

Minimal impact if network segmentation and proper access controls prevent internal service access.

🌐 Internet-Facing: HIGH - If Ray is exposed to the internet, attackers can directly exploit this SSRF vulnerability.

🏢 Internal Only: MEDIUM - Even internally, compromised users or lateral movement could exploit this to access other internal services.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires network access to the Ray instance. Public technical details are available from Bishop Fox.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 2.8.0 (check latest releases)

Vendor Advisory: https://docs.ray.io/en/latest/ray-security/index.html

Restart Required: Yes

Instructions:

1. Upgrade Ray to the latest version. 2. Restart all Ray services. 3. Verify the /log_proxy endpoint is no longer vulnerable.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict network access to Ray instances and block outbound requests from Ray to internal services.

Disable /log_proxy Endpoint

linux

If not needed, disable or block access to the /log_proxy endpoint via firewall or configuration.

# Use firewall rules to block /log_proxy
# Example for iptables: iptables -A INPUT -p tcp --dport [RAY_PORT] -m string --string "/log_proxy" --algo bm -j DROP

🧯 If You Can't Patch

Implement strict network segmentation to isolate Ray instances from sensitive internal services.
Deploy web application firewalls (WAF) or reverse proxies to filter malicious requests to the /log_proxy endpoint.

🔍 How to Verify

Check if Vulnerable:

Check if Ray version is 2.6.3 or 2.8.0 and test if /log_proxy endpoint accepts external URLs.

Check Version:

ray --version

Verify Fix Applied:

After patching, test that /log_proxy no longer processes requests to internal or external URLs.

📡 Detection & Monitoring

Log Indicators:

Unusual requests to /log_proxy endpoint with external or internal IPs in logs.

Network Indicators:

Outbound HTTP/HTTPS requests from Ray server to unexpected internal destinations.

SIEM Query:

source="ray_logs" AND url_path="/log_proxy" AND (dest_ip!=local_network OR dest_ip=external_ip)

📊 Metadata

CVE ID: CVE-2023-48023

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-918

Published: November 28, 2023

Last Updated: November 21, 2024

🔗 References

https://bishopfox.com/blog/ray-versions-2-6-3-2-8-0 Exploit,Third Party Advisory
https://docs.ray.io/en/latest/ray-security/index.html Product,Release Notes
https://bishopfox.com/blog/ray-versions-2-6-3-2-8-0 Exploit,Third Party Advisory
https://docs.ray.io/en/latest/ray-security/index.html Product,Release Notes

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-48023, you might also want to check these: