Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-28442: Geoserver for GeoNode sensitive information leak

GeoNode is an open source platform that facilitates the creation, sharing, and collaborative use of geospatial data. Prior to versions 2.20.6, 2.19.6, and 2.18.7, anonymous users can obtain sensitive information about GeoNode configurations from the response of the /geoserver/rest/about/status Geoserver REST API endpoint. The Geoserver endpoint is secured by default, but the configuration of Geoserver for GeoNode opens a list of REST endpoints to support some of its public-facing services. The vulnerability impacts both GeoNode 3 and GeoNode 4 instances. Geoserver security configuration is provided by geoserver-geonode-ext. A patch for 2.20.7 has been released which blocks access to the affected endpoint. The patch has been backported to branches 2.20.6, 2.19.7, 2.19.6, and 2.18.7. All the published artifacts and Docker images have been updated accordingly. A more advanced patch has been applied to the master and development versions, which require some changes to GeoNode code. They will be available with the next 4.1.0 release. The patched configuration only has an effect on new deployments. For existing setups, the patch must be applied manually inside the Geoserver data directory. The patched file must replace the existing <geoserver_datadir>/security/rest.properties file.

CVE
#vulnerability#docker

Impact

Anonymous users can obtain sensitive information about GeoNode configurations from the response of the /geoserver/rest/about/status Geoserver REST API endpoint. The Geoserver endpoint is secured by default, but the configuration of Geoserver for GeoNode opens a list of REST endpoints to support some of its public-facing services.

The vulnerability impacts both GeoNode 3 and GeoNode 4 instances.

Patches

Geoserver security configuration is provided by geoserver-geonode-ext. A patch for 2.20.7 has been released which blocks access to the affected endpoint.
The patch has been backported to branches 2.20.6, 2.19.7, 2.19.6 and 2.18.7
All the published artifacts and Docker images have been updated accordingly.

A more advanced patch has been applied to the master and development versions, which require some changes to GeoNode code. They will be available with the next 4.1.0 release.
By the way, the patch employed for the released version is equally effective.

Workarounds

The patched configuration only has an effect on new deployments. For existing setups, it must be applied manually inside the Geoserver data directory. The patched file must replace the existing <geoserver_datadir>/security/rest.properties file.

For a Docker setup:

  1. Assuming you have access to the server where the GeoNode container (django4myproject) is running
  2. Assuming you have permission to execute Docker commands
  3. Assuming you have saved this file containing the patch to your home folder (e.g. /home/myuser)

The following command will apply the patch to the Geoserver data directory:

docker cp /home/myuser/rest.properties django4myproject:/geoserver_data/data/security/

Geoserver will pick up the new configuration dynamically. No restart is required.
You can verify the patch has been applied by visiting the following endpoint (assuming https://mygeonode.org is the ULR for your GeoNode instance):

https://mygeonode.org/geoserver/rest/about/status

A prompt for credentials should appear in place of the response.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907