[GeoNode-users] GeoNode containers compromised

Giovanni Allegri giovanni.allegri at geosolutionsgroup.com
Thu Sep 19 07:54:44 PDT 2024 

Hi Anderson,

which version of Geoserver are you using? Did you upgrade after
CVE-2024-36401 <https://github.com/GeoNode/geonode-docker/issues/44>?

Giovanni


On Thu, Sep 19, 2024 at 4:49 PM Anderson Soares Ferreira via geonode-users <
geonode-users at lists.osgeo.org> wrote:

>
> Dear users,
>
> We maintain a Geonode instance that is currently running the version
> 4.1.3. The environment  is up and running since July 2023.
> About a month ago I noticed an abnormal CPU utilization on the Geonode's
> server and after some inspection I discovered that the Django's container
> had been compromised and it was being used for crypto currency mining. The
> attacker was able to upload the mining utility to the container's tmp
> directory and remotely started it.
> At that time, I've stopped and recreated the containers and no other event
> has happened until this week.
> Yesterday the host server started presenting an elevated CPU utilization
> again, but this time the compromised container was the geoserver and the
> mining utility was uploaded to the tomcat's tmp directory.
> I've  been trying to understand the mechanism used to compromise the
> containers, but the fact that two different containers were compromised
> made things a little more complicated.
> I've checked the CVEs related to GeoNode, and from all of them, the most
> probable of being explored was CVE-2023-28442,  but our environment was
> already patched to it. The HTTP logs from our reverse proxy didn't help
> either and I'm out of ideas on how to solve this problem.
> Although a system upgrade to a more recent stable version is planned for
> the near future, I would prefer to at least mitigate the issue as soon as
> possible.
> Has anyone experienced a similar issue? How was it solved?
>
> Any clue would be appreciated.
>
> Best regards,
>
> Anderson
> ----
> Anderson Soares Ferreira - anderson.soares at embrapa.br
> Núcleo de Tecnologia da Informação - NTI
> Embrapa Territorial
> Tel.: (19) 3211-6200
>
> __________________________
> Aviso de confidencialidade
>
> Esta mensagem da Empresa  Brasileira de Pesquisa  Agropecuaria (Embrapa),
> empresa publica federal  regida pelo disposto  na Lei Federal no. 5.851,
> de 7 de dezembro de 1972,  e  enviada exclusivamente  a seu destinatario e
> pode conter informacoes  confidenciais, protegidas  por sigilo
> profissional.  Sua utilizacao desautorizada  e ilegal e  sujeita o infrator
> as penas da lei. Se voce  a recebeu indevidamente, queira, por gentileza,
> reenvia-la ao emitente, esclarecendo o equivoco.
>
> Confidentiality note
>
> This message from Empresa  Brasileira de Pesquisa  Agropecuaria (Embrapa),
> a government company  established under  Brazilian law (5.851/72), is
> directed exclusively to  its addressee  and may contain confidential data,
> protected under  professional secrecy  rules. Its unauthorized  use is
> illegal and  may subject the transgressor to the law's penalties. If you
> are not the addressee, please send it back, elucidating the failure.
> _______________________________________________
> geonode-users mailing list
> geonode-users at lists.osgeo.org
> https://lists.osgeo.org/mailman/listinfo/geonode-users
>


-- 

==

GeoServer Professional Services from the experts!

Visit http://bit.ly/gs-services-us for more information.
==

Dott. Giovanni Allegri

Technical Lead / Project Manager


GeoSolutions Group
phone: +39 0584 962313
cell:     +39 345 2815774

fax:      +39 0584 1660272

https://www.geosolutionsgroup.com/
http://twitter.com/geosolutions_it
-------------------------------------------------------

Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE
2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si
precisa che ogni circostanza inerente alla presente email (il suo
contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è
riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il
messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra
operazione è illecita. Le sarei comunque grato se potesse darmene notizia.

This email is intended only for the person or entity to which it is
addressed and may contain information that is privileged, confidential or
otherwise protected from disclosure. We remind that - as provided by
European Regulation 2016/679 “GDPR” - copying, dissemination or use of this
e-mail or the information herein by anyone other than the intended
recipient is prohibited. If you have received this email by mistake, please
notify us immediately by telephone or e-mail.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/geonode-users/attachments/20240919/1e4071cb/attachment.htm>

More information about the geonode-users mailing list