[GeoNode-devel] Urgent GeoNode Security Notice

Patrick Dufour pjdufour.dev at gmail.com
Wed Mar 29 09:05:54 PDT 2017


All --

I was notified by a colleague to a critical security issue with GeoNode.
It expanded from there.  I worked through multiple security issues and
developed patches (ansible and manual tasks).  The primary issue is that
the default GeoServer can be easily rooted with a public master password.
For instance, the GeoServer on our demo instance, can be rooted.  This is
an issue with deployment and doesn't require any changes to the core Django
codebase.

If you have a custom GeoServer WAR or highly-custom downstream project, you
may not be affected, but very much worth double checking as soon as you can.

I've created a GeoNode Security guide for manually fixing the issues, which
can be completed in less than an hour.  See the goo.gl link below, which
points to a GitHub gist.

https://goo.gl/rJn1Tq

In particular, this guide covers how to secure your (1) Django admin, (2)
GeoServer admin, and (3) GeoServer root accounts (yes, you need to secure 3
separate admin-level accounts).

I've also updated the public Ansible role on GitHub, so you can immediately
use that by cloning it.  The ansible and manual tasks are complete patches
for the security issues specifically referenced, but do not cover all
GeoNode security best practices.

Regards,
Patrick Dufour
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/geonode-devel/attachments/20170329/a0e7f120/attachment.html>


More information about the geonode-devel mailing list