GeoServer Blog

GeoServer 2.21-RC Release Candidate

GeoServer 2.21-RC release is now available with downloads (bin, war, windows), along with docs and extensions.

This is a GeoServer release candidate made in conjunction with GeoTools 27-RC and GeoWebCache 1.21-RC.

  • Release candidates are a community building exercise and are not intended for production use.
  • We ask the community (everyone: individuals, organizations, service providers) to download and thoroughly test this release candidate and report back.
  • Testing priority is the new internationalization support
  • Participating in testing release candidates is a key expectation of our open source social contract. We make an effort to thank each person who tests in our release announcement and project presentations!
  • GeoServer commercial service providers are fully expected to test on behalf of their customers.

Release Candidate Testing Priorities

We would like to ask for your assistance testing the following:

  • Try out the new language chooser, and if you spot any translations you can help out with we would love your assistance translating geoserver.

  • The ability to customize feature types allows for a lot of creativity, please try this out and share your examples

  • This release features a new Log4J logging system. If you only choose between the built-in logging profiles we expect everything to be smooth an uneventful.

    If you have made any custom logging profiles, or customized the built-in logging profiles in place, some additional care is required (see below). We are very interested in this upgrade process and ask for your feedback and testing at this time.

  • For those using GDAL or OGR please check the instructions below on upgrading to GDAL 3.

A reminder that open-source is a community activity and we ask everyone to take part at this time.

Feature Type Customization

We are pleased to share a long-requested feature - the ability to rename attributes and change attribute order when publishing a FeatureType.

Feature type customization

It is also possible to change attribute type, and with the use of ECQL expressions generate new attributes on the fly.

The above example works around the limitations of shapefile to use longer names, and creates a new attribute capital on the fly from an expression, as shown in the following GetFeatureInfo output.

GetFeatureInfo tasmania_cities

This is a great new addition to GeoServer, please see Feture Type Details in the user guide for details.

Thanks to Andrea Aime (GeoSolutions) for proposal GSIP-207 and implementation.

Translations and Language Chooser

A big thanks to Alexandre Gacon and everyone who helped improve GeoServer internationalization for during this release cycle.

To support this activity Andrea Aime has contributed a language chooser to the top of the screen (near the login button).

Language chooser

For more information see Choosing the UI language (User Guide).

  • GEOS-1158 Specify Geoserver UI Language in Configuration

Add Styles support to LayerGroup

Layer groups can now be configured with additional styles, with each style listing a series of layers along with the style used to render each layer.

Layer group styles

This allows a SINGLE or OPAQUE layer group to list alternate styles in addition to the default one. Each alternate style is defined by a named configuration of layers and styles providing a unique visual representation.

In the above example the layer group Tasmania is setup with an alternate “data” presentation, presenting the content with the geoserver default styles point, line and polygon.

Layer group style Tasmania

For more information see Layer Group Styles (User Guide).

  • GEOS-10252 Add Styles support to LayerGroup
  • GEOS-10274 Geofence follow up LayerGroup Style addition

Thanks to Marco Volpini (GeoSolutions) for GSIP-205 proposal and implementation.

GeoPackage WMS and WFS Output

The result of proposal GSIP-206 is the creation of the gs-geopkg-output extension packaging up the WFS and WMS output formats from the geopackage community module.

curl "http://localhost:8080/geoserver/wfs?service=wfs&version=2.0.0&request=GetFeature&typeNames=topp:states&outputFormat=geopkg" -o wfs.gpkg

For more information see Using the GeoPackage Output Extension in the user guide.

  • GEOS-10351 [GSIP 206] Promote GeoPackage WFS and WMS output formats to an extension
  • GEOS-8793 WFS 1.1.0/2.0.0 GeoPackage output wrong Coordinate Order

Thanks to David Blasby and Jody Garnett (GeoCat) for packaging up this work as an extension.

Mark Factory Precedence

When rendering maps with lots of individual graphics, looking up the correct implementation (known as a MarkFactory) can be time consuming.

WMS Settings have new capability to filter out any mark factories not being used, and provide an order to prioritise the ones being used.

MarkFactory precedence

For more information see WMS Web Administration (user guide).

  • GEOS-10230 MarkFactory WMS rendering performance optimization

Thanks to Fernando Mino (GeoSolutions Group) for troubleshooting this performance issue, and proposal GSIP-205 as an optimization.

Log4J 2 Upgrade

The assessment of Log4Shell vulnerability highlighted that although GeoSever was not affected, our use of the older Log4j 1.2 was a notable risk. This discussion resulted a small fundraising effort and proposal to upgrade to Log4j 2.

The result is a small change to the user interface, listing logging profiles by name (previously the file extension was also listed).

Log4j update

Internally this release replaces changes from Log4j 1.2 logging profiles (using properties extension) to Log4j 2 logging profiles (using xml extension):

  • The built-in logging profiles (DEFAULT_LOGGING, PRODUCTION_LOGGING, …) are replaced with new Log4j 2 xml files.

  • Previous custom logging profiles will continue to be available (Log4J 2 has the ability to read the older Log4J 1.2 properties files).

  • If you made any customizations to the built-in profiles, you can recover your changes from backup bak file. You can use this backup as a reference when creating a new xml logging profile, or restore this under a different name which does not conflict with the built-in logging profiles.

    A customization to PRODUCTION_LOGGING.properties will be backed up to PRODUCTION_LOGGING.properties.bak. This can be restored by renaming PRODUCTION_LOGGING.properties.bak to CUSTOM_LOGGING.properties.

In addition to the INFO status messages, you will notice a new CONFIG logging level used during application startup:

CONFIG [org.geoserver] - GeoServer configuration lock is enabled
CONFIG [org.geoserver] - Loading catalog...
...

For more information, and examples of writing on log4J 2 profile, see Logging Settings and Advanced log configuration in the User Guide. Of note is the introduction of a new CONFIG logging level used loading and saving configuration changes.

Thanks to Jody Garnett (GeoCat) for completing this work, and to the following sponsors for supporting this activity.

Logging REST API

For more information please see Logging settings (User Guide) and GeoServer Logging (REST API).

  • GEOS-10368 Logging Controller Addition allows configuration of logging via REST API.

Thanks to Yalın Eren Deliorman for this contribution.

New WPS settings and KML input/output support

A number of improvements have been made to the WPS service:

GDAL 3.x Compatibility

The gdal-output extension is tested against GDAL 3.x series.

Please pay careful attention to the installation instructions, while the extensions includes gdal-3.2.0.jar you should double check the native binaries (included in your Linux distribution or installed by hand) and download an appropriate replacement jar online.

For more information see Installing GDAL native libraries in the User Guide.

  • GEOS-10402 Upgrade imageio-ext to 1.4.0 (tested with gdal 3.2)

Thanks to Andrea Aime (GeoSolutions) for making the ImageIO-EXT release, and Jody Garnett (GeoCat) for GDAL 3.x upgrade and testing.

Improvements and Fixes

New features:

  • GEOS-10228 Add wrap_limit property to wrap the category text values of a legend

Improvements:

  • GEOS-10146 App-schema: support for multiple geometries with different CRS
  • GEOS-10246 jdbcconfig: performance slow-down from unnecessary transactions
  • GEOS-10251 Refactor MapML vocabulary to map- custom elements HTML namespace
  • GEOS-10463 Support WCS default value for Deflate Compression
  • GEOS-10320 Support GetFeatureInfo on raster layers with transformations turning the output into vector
  • GEOS-10405 GetFeatureInfo: Support multiple featureCollections per query layer

Fixes:

  • GEOS-10226 ResourcePool leaves empty files on failure
  • GEOS-10318 CSV output format for complex features doesn’t resolve namespace URIs to prefixes on attributes names
  • GEOS-10235 Prevent double-quote to be specified as CSV separator
  • GEOS-10477 SLD - Validation error on Normalize-node
  • GEOS-10448 GetTimeSeries does not limit number of dates when using a time range request (without period)
  • GEOS-10429 Style validation error using the VendorOption “graphic-margin”
  • GEOS-10318 CSV output format for complex features doesn’t resolve namespace URIs to prefixes on attributes names

Tasks:

  • GEOS-10458 Update jai-ext to 1.1.22
  • GEOS-10446 Upgrade to commons-codec 1.15 version
  • GEOS-10363 Switch from itextpdf to openpdf for PDF map rendering

About GeoServer 2.21

Additional information on GeoServer 2.21 series:

Release notes: ( 2.21-RC )

Read More

Jiffle and GeoTools RCE vulnerabilities

A few critical vulnerabilities have been located in the GeoServer ecosystem that allow Remote Code Execution. This article describes the vulnerabilities, their mitigation, and links to patched versions of the various projects involved.

All the issues described in this post have been patched in:

The rest of the POST describes the issues and their mitigation.

RCE in Jiffle

The Jiffle map algebra language, provided by jai-ext, allows efficiently execute map algebra over large images. A vulnerability has been recently found in Jiffle, that allows a Code Injection to be performed by properly crafting a Jiffle invocation.

In the case of GeoServer, the injection can be performed from a remote request.

Assessment

GeoTools includes the Jiffle language as part of the gt-process-raster-<version> module, applications using it should check whether it’s possible to provide a Jiffle script from remote, and if so, upgrade or remove the functionality (see also the GeoServer mitigation, below).

Stand-alone GeoWebCache is not affected, as it does not include Jiffle support.

The issue is of particular interest for GeoServer users, as GeoServer embeds Jiffle in the base WAR package. Jiffle is available as a OGC function, for usage in SLD rendering transformations.

This allows for a Remote Code Execution in properly crafted OGC requests, as well as from the administration console, when editing SLD files.

Mitigations

In case you cannot upgrade at once, then the following mitigation is strongly recommended:

  1. Stop GeoServer
  2. Open the war file, get into WEB-INF/lib and remove the janino-<version>.jar
  3. Restart GeoServer.

This effectively removes the Jiffle ability to compile scripts in Java code, from any of the potential attack vectors (Janino is the library used to turn the Java code generated from the Jiffle script, into executable bytecode).

GeoServer should still work properly after the removal, but any attempt to use Jiffle will result in an exception.

Resolution

Issue:

RCE in JNDI lookups

The GeoTools data stores, as well as the disk quota mechanism of GeoWebCache, and the JDBC user/role providers for GeoServer can all fetch connection pools from JNDI.

A properly crafted JNDI source name can cause uncontrolled deserialization of classes and eventually a Remote Code Execution, in a way similar to Log4Shell. However, unlike Log4Shell, it requires the administrator to enter these strings.

Mitigations

In terms of mitigation, GeoTools users should make sure the JNDI strings given to stores cannot be provided from remote, or external parties, without validation.

Stand-alone GeoWebCache users must now allow external or remote users to change the disk quota XML configuration files, guarding both local file system access, and the REST configuration API. The REST API can only be accessed authenticating as administrator, good practices in this regard involve:

  • Disallowing remote access to the “/rest” endpoint in a GeoWebCache installation
  • Rotating the administrator passwords.

GeoServer is affected though the Web administration interface and the REST configuration API, both of which require an administrator login to be used in order to setup JNDI connection strings. In order to mitigate the issue:

  • Disallow remote access to the “/rest” and “/web” endpoints in a GeoServer installation.
  • Change/rotate the administrator passwords.

Resolution

The following issues have been resolved, and patched releases are available.

Issue:

Thanks to Andrea Aime (GeoSolutions) for working so hard on this fix.

SpringShell

Both GeoServer and GeoWebCache use Spring MVC, for REST API controllers in both projects, and for the OGC API, GSR and taskmanager community modules, in GeoServer. The projects are commonly deployed as WAR files in Tomcat, with a fair amount of deploys using Java 11 and above.

This sets up both projects for exploit via the SpringShell vulnerability. however we looked, and could not find an actual attack vector.

This release train updates to newer a version of spring-framework that patched this potential issue.

Mitigations

For those that cannot upgrade, the recommended mitigations are:

  • Run GeoServer and GeoWebCache on Java 8 instead, which is not vulnerable to the issue.
  • Upgrade Tomcat to the releases that patched the attack vector, either 9.0.62 or 8.5.78 (don’t try to use Tomcat 10.x, GeoServer cannot run on it due to incompatible J2EE libraries).
  • For extra security, limit access to the REST API, and remove community modules providing new service endpoints (OGC API, GSR, taskmanager).

Resolution

Although GeoServer assessment did not identify any issue we have now updated the the spring framework library.

Issue:

  • GEOS-10445 Upgrade springframework from 5.1.20.RELEASE to 5.2.20.RELEASE

Thanks to Gabriel Roldan (camptocamp) for troubleshooting and performing this spring-framework update.

Read More

GeoServer 2.20.4 Released

GeoServer 2.20.4 release is now available with downloads (bin, war, windows), along with docs and extensions.

This is a stable release of the 2.20.x series recommended for production systems. This release was made in conjunction with GeoTools 26.4.

Thanks to everyone who contributed, and to Andrea Aime (GeoSolutions) and Jody Garnett (GeoCat) for making this release.

Security Considerations

This release includes several security enhancements and is a recommended upgrade for production systems.

This release includes two improvements addressing Jiffle and GeoTools RCE vulnerabilities:

This release also includes:

  • GEOS-10445 Upgrade springframework from 5.1.20.RELEASE to 5.2.20.RELEASE

    Although GeoServer assessment did not identify any issue we have now updated the the spring framework library.

Add Styles support to LayerGroup

Allows layer group (layer mode SINGLE or OPAQUE) list alternate styles in addition to the default one. Each alternate style is defined by a named configuration of layers and styles providing a unique visual representation.

  • GEOS-10252 Add Styles support to LayerGroup
  • GEOS-10274 Geofence follow up LayerGroup Style addition

For more information see GSIP-205 Add Styles support to LayerGroup proposa.

Improvements and Fixes

Improvements:

  • GEOS-10434 Externalized GeoServer environment properties

  • GEOS-10427 Improve access check in ImportProcess

  • GEOS-10409 Improve deletion of WPS Execute input temp files

Fixes:

  • GEOS-10437 Breaking SLD 1.1 style by REST upload

  • GEOS-10419 NullPointerException from GeoServerOAuthAuthenticationFilter

  • GEOS-10418 Bad request sent to GeoFence when matching roles only

  • GEOS-10401 WPS GetExecutionResult doesn’t validate the mimetype parameter

  • GEOS-10400 Disabling WMS dynamic styling does not affect GetLegendGraphic requests

  • GEOS-10393 WFS-T deletes the wrong features (and further BatchManager issues)

  • GEOS-9978 WMS vendor parameter CLIP - ignores TIME/CQL_FILTER and other parameters when using with ImageMosaic

Tasks:

  • GEOS-10445 Upgrade springframework from 5.1.20.RELEASE to 5.2.20.RELEASE

  • GEOS-10303 Upgrade to jackson 2.13.2

For more information see 2.20.4 release notes.

About GeoServer 2.20

Additional information on GeoServer 2.20 series:

Release notes: ( 2.20.4 | 2.20.3 | 2.20.2 | 2.20.1 | 2.20.0 | 2.20-RC )

Read More

GeoServer 2.19.6 Released

GeoServer 2.19.6 release is now available with downloads (bin, war, windows), along with docs and extensions.

This is an extra maintenance release of the 2.19.x series recommended for production systems. This release was made in conjunction with GeoTools 25.6.

Thanks to everyone who contributed, and to Andrea Aime (GeoSolutions) for making this release.

Security Considerations

This release includes several security enhancements and is a recommended upgrade for production systems.

This release includes two improvements addressing Jiffle and GeoTools RCE vulnerabilities:

This release also includes:

  • GEOS-10445 Upgrade springframework from 5.1.20.RELEASE to 5.2.20.RELEASE

    Although GeoServer assessment did not identify any issue we have now updated the the spring framework library.

Improvements and Fixes

Fixes:

  • GEOS-10437 Breaking SLD 1.1 style by REST upload

  • GEOS-10336 INSPIRE failure: version not propagated in GetCapabilities LegendURL

  • GEOS-9978 WMS vendor parameter CLIP - ignores TIME/CQL_FILTER and other parameters when using with ImageMosaic

Tasks:

For more information see 2.19.6 release notes.

About GeoServer 2.19

Additional information on GeoServer 2.19 series:

Release notes ( 2.19.6 | 2.19.5 | 2.19.4 | 2.19.3 | 2.19.2 | 2.19.1 | 2.19.0 | 2.19-RC )

Read More

GeoServer 2.18.6 Released

GeoServer 2.18.6 release is now available with downloads (bin, war, windows), along with docs and extensions.

This is an extra maintenance release of the 2.18.x series recommended for production systems that have not yet upgraded to 2.19. This release was made in conjunction with GeoTools 24.6.

Thanks to everyone who contributed, and to Andrea Aime (GeoSolutions) and Jody Garnett (GeoCat) for making this release.

Security Considerations

This release includes security enhancements and is a recommended upgrade for production systems.

This release includes two improvements addressing Jiffle and GeoTools RCE vulnerabilities:

This release also includes:

  • GEOS-10445 Upgrade Spring Framework from 5.1.20.RELEASE to 5.2.20.RELEASE

    Although GeoServer assessment did not identify any issue we have now updated the the spring framework library.

Improvements and Fixes

  • GEOS-10437 Breaking SLD 1.1 style by REST upload

  • GEOS-10249 GWC produce NPE when it comes to race condition

  • GEOS-10215 Layers nested inside a group maintain their prefix even in workspace specific services

  • GEOS-10213 WMS requests fail on LayerGroup default style names, when used in GetMap/GetFeatureInfo/GetLegendGraphics

  • GEOS-10200 GetLegendGraphic can fail if SCALE removes all rules

  • GEOS-10321 WCS 2.0 might fail to return coverages whose native BBOX goes slighly outside of the dateline

  • GEOS-10194 Improve importer LOGGING

  • GEOS-10335 Update GeoServer to a log4j version that does not support RCEs

For more information see 2.18.6 release notes.

About GeoServer 2.18

Additional information on GeoServer 2.18 series:

Release Notes ( 2.18.6 | 2.18.5 | 2.18.4 | 2.18.3 | 2.18.2 | 2.18.1 | 2.18.0 | 2.18-RC )

Read More