Submitted 4 days ago by Mubelotix@jlai.lu to selfhosted@lemmy.world
https://jlai.lu/pictrs/image/7dad24a4-96b9-46a7-b349-95fc0e927418.jpeg
All umami instances have been infected with a persisting crypto miner. Umami was affected by the next.js CVE but quietly released a fix, so most of their users missed it
I don’t know about “all umami instances being infected” but they were certainly all vulnerable.
Wow I’m glad I happened to see this here. Thank you for the post. I was just thinking about putting all my services behind a VPN too, I think I’m going to go ahead and put that at the top of the list…
I don't think a vpn would help here
Exploiting this vulnerability requires access to the service which wouldn’t be possible if it was behind a vpn
All umami instances have been infected with a persisting crypto miner.
Source for that claim? Because it sounds like you’ve misunderstood something.
I see it’s running Ansible. That’s an obvious risk.
non_burglar@lemmy.world 4 days ago
Link? Did you discover this yourself? There is no actual info here.
wildbus8979@sh.itjust.works 4 days ago
github.com/umami-software/umami/issues/3852
non_burglar@lemmy.world 4 days ago
Thank you!
Mubelotix@jlai.lu 4 days ago
All recently open issues are about this. I was a victim, but I’m not the first and people on reddit have done better investigations than I have. Look for the name of the process at the top
non_burglar@lemmy.world 4 days ago
Thanks.
For severe incidents like this, please post the most appropriate link, in this case github.com/umami-software/umami/issues/3852
Admins in self hosted usually don’t have that much experience with real, active compromise and may panic, let’s help them as much as possible.
What was the vector? Did you have umami exposed publicly?