Impact
Anonymous users can obtain sensitive information about GeoNode configurations from the response of the /geoserver/rest/about/status Geoserver REST API endpoint. The Geoserver endpoint is secured by default, but the configuration of Geoserver for GeoNode opens a list of REST endpoints to support some of its public-facing services.
The vulnerability impacts both GeoNode 3 and GeoNode 4 instances.
Patches
Geoserver security configuration is provided by geoserver-geonode-ext. A patch for 2.20.7 has been released which blocks access to the affected endpoint.
The patch has been backported to branches 2.20.6, 2.19.7, 2.19.6 and 2.18.7
All the published artifacts and Docker images have been updated accordingly.
A more advanced patch has been applied to the master and development versions, which require some changes to GeoNode code. They will be available with the next 4.1.0 release.
By the way, the patch employed for the released version is equally effective.
Workarounds
The patched configuration only has an effect on new deployments. For existing setups, it must be applied manually inside the Geoserver data directory. The patched file must replace the existing <geoserver_datadir>/security/rest.properties file.
For a Docker setup:
- Assuming you have access to the server where the GeoNode container (
django4myproject) is running
- Assuming you have permission to execute Docker commands
- Assuming you have saved this file containing the patch to your home folder (e.g.
/home/myuser)
The following command will apply the patch to the Geoserver data directory:
>>docker cp /home/myuser/rest.properties django4myproject:/geoserver_data/data/security/
Geoserver will pick up the new configuration dynamically. No restart is required.
You can verify the patch has been applied by visiting the following endpoint (assuming https://mygeonode.org is the ULR for your GeoNode instance):
https://mygeonode.org/geoserver/rest/about/status
A prompt for credentials should appear in place of the response.
d3netxer Reporter
Impact
Anonymous users can obtain sensitive information about GeoNode configurations from the response of the
/geoserver/rest/about/statusGeoserver REST API endpoint. The Geoserver endpoint is secured by default, but the configuration of Geoserver for GeoNode opens a list of REST endpoints to support some of its public-facing services.The vulnerability impacts both GeoNode 3 and GeoNode 4 instances.
Patches
Geoserver security configuration is provided by geoserver-geonode-ext. A patch for 2.20.7 has been released which blocks access to the affected endpoint.
The patch has been backported to branches 2.20.6, 2.19.7, 2.19.6 and 2.18.7
All the published artifacts and Docker images have been updated accordingly.
A more advanced patch has been applied to the master and development versions, which require some changes to GeoNode code. They will be available with the next 4.1.0 release.
By the way, the patch employed for the released version is equally effective.
Workarounds
The patched configuration only has an effect on new deployments. For existing setups, it must be applied manually inside the Geoserver data directory. The patched file must replace the existing
<geoserver_datadir>/security/rest.propertiesfile.For a Docker setup:
django4myproject) is running/home/myuser)The following command will apply the patch to the Geoserver data directory:
>>docker cp /home/myuser/rest.properties django4myproject:/geoserver_data/data/security/Geoserver will pick up the new configuration dynamically. No restart is required.
You can verify the patch has been applied by visiting the following endpoint (assuming https://mygeonode.org is the ULR for your GeoNode instance):
https://mygeonode.org/geoserver/rest/about/statusA prompt for credentials should appear in place of the response.