Umami is vulnerable - upgrade immediately

Umami is vulnerable - upgrade immediately
from Mubelotix@jlai.lu to selfhosted@lemmy.world on 09 Dec 13:28
https://jlai.lu/post/29883346

All umami instances have been infected with a persisting crypto miner. Umami was affected by the next.js CVE but quietly released a fix, so most of their users missed it

#selfhosted

threaded - newest

non_burglar@lemmy.world on 09 Dec 13:35 next collapse

Link? Did you discover this yourself? There is no actual info here.

wildbus8979@sh.itjust.works on 09 Dec 13:39 next collapse

github.com/umami-software/umami/issues/3852

non_burglar@lemmy.world on 09 Dec 13:55 collapse

Thank you!

Mubelotix@jlai.lu on 09 Dec 13:40 collapse

All recently open issues are about this. I was a victim, but I’m not the first and people on reddit have done better investigations than I have. Look for the name of the process at the top

non_burglar@lemmy.world on 09 Dec 13:46 collapse

Thanks.

For severe incidents like this, please post the most appropriate link, in this case github.com/umami-software/umami/issues/3852

Admins in self hosted usually don’t have that much experience with real, active compromise and may panic, let’s help them as much as possible.

I will add that Umami itself is not compromised, but vulnerable. That is a somewhat misleading title.

What was the vector? Did you have umami exposed publicly?

rayboy@lemmy.world on 09 Dec 14:15 next collapse

Wow I’m glad I happened to see this here. Thank you for the post. I was just thinking about putting all my services behind a VPN too, I think I’m going to go ahead and put that at the top of the list…

GottaHaveFaith@fedia.io on 09 Dec 18:14 collapse

I don't think a vpn would help here

[deleted] on 09 Dec 18:59 collapse

GottaHaveFaith@fedia.io on 09 Dec 19:12 next collapse

Yes I re-read the cve, I thought it was an issue with an npm package with a cryptominer

EncryptKeeper@lemmy.world on 09 Dec 20:47 next collapse

Yeah but Umami is an analytics engine powered by client side tracking. If it was behind a VPN it would be useless.

frongt@lemmy.zip on 09 Dec 22:03 collapse

Unless it was the software package itself that was compromised.

EncryptKeeper@lemmy.world on 10 Dec 06:18 collapse

It was not

EncryptKeeper@lemmy.world on 09 Dec 14:47 next collapse

I don’t know about “all umami instances being infected” but they were certainly all vulnerable.

corsicanguppy@lemmy.ca on 09 Dec 21:00 next collapse

I see it’s running Ansible. That’s an obvious risk.

clb92@feddit.dk on 09 Dec 21:09 next collapse

All umami instances have been infected with a persisting crypto miner.

Source for that claim? Because vulnerable does not mean infected.

Also, I’m kinda glad my instance has been offline for a while now because of database trouble. That was lucky.

Bombastic@sopuli.xyz on 10 Dec 00:22 next collapse

Look inside

React2Shell

Just another day on the job

rehydrate5503@lemmy.world on 11 Dec 17:55 collapse

This could explain why my 4C/8T VPS started hitting 100% CPU usage shortly after boot with like next to nothing else running on it.