OGC Filter Injection Vulnerability Statement

Feb 20, 2023 • Jody Garnett

A vulnerability has located in the GeoTools Library that allows SQL Injection using OGC Filter and Function expressions.

CVE-2023-25157 OGC Filter SQL Injection Vulnerabilities (GeoServer)
CVE-2023-25158 OGC Filter SQL Injection Vulnerabilities (GeoTools)

If you wish to report a security vulnerability, see instructions on responsible reporting. We also welcome your direct financial support.

Assessment

SQL Injection Vulnerabilities have been found with:

PropertyIsLike filter, when used with a String field and any relational database based Store, or with a PostGIS DataStore with encode functions enabled, or with any image mosaic with an index stored in a relational database.
strEndsWith function, when used with a PostGIS DataStore with encode functions enabled
strStartsWith function, when used with a PostGIS DataStore with encode functions enabled
FeatureId filter, when used with any database table having a String primary key column and when prepared statements are disabled
jsonArrayContains function, when used with a String or JSON field and with a PostGIS or Oracle DataStore (GeoServer 2.22.0+ only)
DWithin filter, when used with an Oracle DataStore

Mitigation

We recommend upgrading. The following list of mitigations is addressing some of the issues (e.g., the PropertyIsLike issue has no mitigation for tables with a string field):

Disabling the PostGIS Datastore encode functions setting to mitigate strEndsWith, strStartsWith (will cause severe slowdowns in parts of the WMTS multidimensional plugin functionality, if in use).
Enabling the PostGIS DataStore preparedStatements setting to mitigate the FeatureId vulnerability.
No mitigation is available for PropertyIsLike filter, you may choose to disable database DataStores until you are able to upgrade.
No mitigation is available for DWithin with Oracle DataStore, you may choose to disable Oracle DataStores until you are able to upgrade.
As a good practice to limit the attack surface, it’s important to give the database account used for connection pools the minimum required level of privileges (e.g., read-only unless WFS-T/importer/REST granule harvesting are used, access limited only to the schemas and tables needed for production usage)

Resolution

Issues:

GEOT-7302 Escape user inputs in SQL queries
GEOS-10842 Escape user inputs in SQL queries
GEOS-10839 Add JDBC Configuration parameter to disable SQL comments and pretty-printing

A related issue with the community jdbc-config module.

Patched releases:

If you wish to volunteer to backport these fixes to other GeoServer series and make a release co-ordinate on the developers list. If you are not in a position to collaborate reach out to a commercial support provider to act on your behalf.

Thanks to Steve Ikeoka for responsibly reporting and fixing these issues. Thanks to Jody Garnett (GeoCat) for the stable and maintenance releases. Thanks to Andrea Aime (GeoSolutions) for back porting this fix to versions of GeoTools and GeoServer that are otherwise no longer receiving releases.

GeoServer 2.22.2 Release

Feb 20, 2023 • Jody Garnett

GeoServer 2.22.2 release is now available with downloads (bin, war, windows), along with docs and extensions.

This is a stable release of the GeoServer 2.22.x series, made in conjunction with GeoTools 28.2 and GeoWebCache 1.22.1.

This release was scheduled early to address a security vulnerability. Thanks to Jody Garnett for making this release on behalf of GeoCat Live.

Security Considerations

This release addresses a security vulnerability and is considered an essential upgrade for production systems:

CVE-2023-25158 OGC Filter SQL Injection Vulnerabilities (GeoTools)
CVE-2023-25157 OGC Filter SQL Injection Vulnerabilities (GeoServer)

For more information see OGC Filter Injection Vulnerability Statement.

2024-06-30 Update: The following mitigation has been provided:

CVE-2024-36401 Remote Code Execution (RCE) vulnerability in evaluating property name expressions (Critical)

geoserver-2.22.2-patches.zip (replacing gt-app-schema, gt-complex and gt-xsd-core jars) has been provided by Andrea (GeoSolutions)

See project security policy for more information on how security vulnerabilities are managed.

Natural Earth 50m Sample Data

The Natural Earth ne workspace has been improved with 1:50m sample data offering the following:

improved detail
country labels in multiple languages
disputed regions

World 50m Update

The countries.sld style includes the following:

<sld:TextSymbolizer>
  <sld:Label>
    <ogc:Function name="Recode">
      <ogc:Function name="language"/>
      <ogc:Literal/>
      <ogc:PropertyName>NAME</ogc:PropertyName>
      <ogc:Literal>en</ogc:Literal>
      <ogc:PropertyName>NAME</ogc:PropertyName>
      <ogc:Literal>it</ogc:Literal>
      <ogc:PropertyName>NAME_IT</ogc:PropertyName>
      <ogc:Literal>fr</ogc:Literal>
      <ogc:PropertyName>NAME_FR</ogc:PropertyName>
    </ogc:Function>
  </sld:Label>

To try this out in French append &LANGUAGE=fr to any GetMap request, including Layer Preview.

World 50m French

These styles also now validate. Thanks to Jody Garnett (GeoCat) for this work.

GEOS-10624 Data directory and documentation update
GEOS-10836 The demo styles in “ne” workspace do not validate

Welcome Page Performance Improvements

The welcome page loading is now limited to a short amount of time to retrieve the list of workspaces and layers to select from. For large catalogues, with lots of security restrictions, that are unable to respond in this time, a simple text field is provided.

Welcome Dropdown Selection

To force the use of a simple text field the property GeoServerHomePage.selectionMode=TEXT can be used. Use DROPDOWN to force a selection control to be used, or AUTOMATIC to determine the behaviour based on catalogue performance as described above.

The default time out GeoServerHomePage.selectionTimeout=5000 for interaction can be adjusted if you would like to provide the catalogue more time to respond.

By default GeoServerHomePage.selectionMaxItems=1000 workspaces or layers can be loaded. This number may be limited further if you find browser performance is affected.

Thanks to Andrea (GeoSolutions) for these performance improvements, and Jody Garnett for a number of smaller fixes.

GEOS-10833 GeoServerHomePage unresponsive against large catalogs
GEOS-10759 Welcome page unreachable with large / slow catalogue configuration
GEOS-10838 Speed up DefaultResourceAccessManager securityFilter implementation
GEOS-10834 Catalog.list might require a lot of time due to security filtering
GEOS-10847 Selecting a raster layer in home page shows incorrect services
GEOS-10861 Welcome blurb i18n not respecting language switch

Community Modules

OGC API updates:

GEOS-10860 OGC API should return version including minor and patch in HTTP Response Header
GEOS-10828 OGC API - Features - Plugin breaks core `/rest` API with JSON payloads

The JDBC Config module received several important fixes:

GEOS-10814 Update jdbc config to use consistent SQL formatting
GEOS-10813 jdbc config cache bug
GEOS-10829 JDBC Config missing some nested layer properties
GEOS-10842 Escape user inputs in SQL queries

Release notes

Improvement:

GEOS-10851 GWC S3 Blobstore Parameters Get Converted back to plain text after an application restart

Bug:

GEOS-7506 shutdown.bat cannot run without JAVA_HOME set
GEOS-10689 OSHISystemInfoCollector holds non daemon threads, prevents clean shutdown of Tomcat
GEOS-10846 Enable auto-escaping for REST HTML templates

Task:

GEOS-10683 FileWrapperResourceTheoryTest fails on Windows since Java 11
GEOS-10848 Column remarks documentation should be updated to reflect that functionality is supported with JNDI

For complete information see 2.22.2 release notes.

About GeoServer 2.22

Additional information on GeoServer 2.22 series:

Update Instructions
Metadata extension
CSW ISO Metadata extension
State of GeoServer (FOSS4G Presentation)
GeoServer Beginner Workshop (FOSS4G Workshop)
Welcome page (User Guide)

Release notes: ( 2.22.2 | 2.22.1 | 2.22.0 | 2.22-RC | 2.22-M0 )