Plateforme
python
Composant
h2o
Corrigé dans
3.46.0.6
3.46.1
CVE-2024-5979 is a denial-of-service (DoS) vulnerability discovered in h2o-3, a Python library for machine learning. This vulnerability allows an attacker to crash the server by exploiting the run_tool command within the rapids component. The vulnerability affects versions of h2o-3 up to and including 3.46.0. A patch has been released in version 3.46.0.6.
The core impact of CVE-2024-5979 is a denial-of-service. An attacker can remotely trigger a crash in the h2o-3 server by crafting a malicious request that targets the MojoConvertTool within the run_tool command. This crash effectively renders the server unavailable, disrupting machine learning workflows and potentially impacting dependent applications. The blast radius extends to any service relying on the vulnerable h2o-3 instance, potentially affecting data scientists, machine learning engineers, and downstream consumers of the model predictions. While the vulnerability doesn't directly lead to data exfiltration or code execution, the service disruption can have significant operational consequences.
CVE-2024-5979 was publicly disclosed on 2024-06-27. There is currently no indication of active exploitation in the wild. The vulnerability is not listed on the CISA KEV catalog. Public proof-of-concept code is not yet available, but the vulnerability's nature suggests that a simple PoC could be developed relatively easily.
Organizations deploying h2o-3 for machine learning tasks, particularly those using versions 3.46.0 and earlier, are at risk. This includes data science teams, machine learning engineers, and any applications that rely on h2o-3 for model training or prediction. Shared hosting environments where h2o-3 is installed could also be vulnerable if the underlying infrastructure is not properly secured.
• python / library: Inspect installed h2o-3 versions using pip show h2o. If the version is ≤3.46.0, the system is vulnerable.
• python / library: Use import h2o; print(h2o.version) to programmatically check the version.
• generic web: Monitor server logs for errors related to MojoConvertTool or the run_tool command, which may indicate an attempted exploit.
disclosure
Statut de l'Exploit
EPSS
0.12% (percentile 31%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2024-5979 is to upgrade to version 3.46.0.6 or later. If an immediate upgrade is not feasible due to compatibility concerns or testing requirements, consider implementing input validation on the runtool command to prevent the execution of potentially malicious arguments. While a WAF is unlikely to directly address this vulnerability, rate limiting requests to the runtool endpoint could help mitigate the impact of a denial-of-service attack. After upgrading, confirm the fix by attempting to invoke the MojoConvertTool with an invalid argument and verifying that the server does not crash.
Actualice la biblioteca h2oai/h2o-3 a la versión 3.46.0.6 o superior. Esto corrige la vulnerabilidad de denegación de servicio causada por el manejo incorrecto de argumentos en la herramienta MojoConvertTool. La actualización previene que un atacante pueda causar una caída del servidor mediante el envío de argumentos inválidos.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2024-5979 is a denial-of-service vulnerability in h2o-3 versions up to 3.46.0. An attacker can crash the server by exploiting the MojoConvertTool, leading to service disruption.
You are affected if you are using h2o-3 version 3.46.0 or earlier. Check your installed version using pip show h2o.
Upgrade to version 3.46.0.6 or later. If immediate upgrade isn't possible, implement input validation on the run_tool command.
There is currently no indication of active exploitation in the wild, but a PoC could be developed easily.
Refer to the h2o.ai security advisories page for the latest information: https://www.h2o.ai/security/
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier requirements.txt et nous te dirons instantanément si tu es affecté.