GeoServer Blog
GeoServer 2.21.1 Release
GeoServer 2.21.1 release is now available with downloads (bin, war, windows), along with docs and extensions.
This is a stable release of the GeoServer 2.21.x series, made in conjunction with GeoTools 27.1 and GeoWebCache 1.21.1.
Thanks to Jody Garnett (GeoCat) for making this release.
Server Status
The server status page has been cleaned up with a few quality of life improvements:
- Units supplied for numbers, such as “7 threads” or “30,000 ms”
- Number of items held in the resource cache is shown, so there is visual feed back when using Clear button.
- Documentation has been updated to cover all the status field descriptions and document the available actions
For more information see Server Status page.
JVM Console
A new JVM Console tab has been added to the server status page allowing a summary of memory use to be reviewed and downloaded, and a summary of active threads to be reviewed and downloaded.
For more information see JVM Console.
Workspace headers for proxy url
A checkbox Use headers for Proxy URL has been added to the workspace page.
This setting an individual workspace use headers for proxy URL (even when the default in global settings has been disabled).
Improvements and Fixes
Improvement:
GEOS-10580 Server status page improvements for status, modules and docs
GEOS-10521 Allow GetFeatureInfo over raster layers to identify both original raster and transformed vectors
GEOS-10514 Better capture catalog configuration issues: layergroup with a misconfigured layer
GEOS-10501 GetMap: support auth headers forwarding to remote SLD urls
GEOS-10495 Request Logger Memory Buffer Limits
GEOS-10489 Add options to LDAP Role Service to configure prefixes and enforce capitalization
GEOS-10464 Improve logging and check for NPEs and other issues in Importer Module
Bug:
GEOS-10584 Enabling logging of request body results in stream closed errors in tomcat environment
GEOS-10570 Deleting a style in a Hazelcast cluster renames the styles directory
GEOS-10553 Importer replace fails with schema mismatch
GEOS-10548 GeoFence layer group handling is inconsistent
GEOS-10546 Invalid time expressions used in WCS 2.0 subset return a code 200 with generic exception
GEOS-10545 Layer Group cache not initialized
GEOS-10539 DescribeLayer typeName is no longer workspace qualified
GEOS-10535 WFS Update request throw NPE on bad namespace
GEOS-10534 a badly formed delete transaction will get a NPE instead of an informative error message
GEOS-10533 Review startup logging INFO and WARN updates
GEOS-10526 Parallel REST API calls failures
GEOS-10522 REST API Failure in @ExceptionHandler No input String specified
GEOS-10518 Partial RELINQUISH_LOG4J_CONTROL regression with WildFly
GEOS-10516 WMS GetCapabilities dimension representations ignores the end attribute
GEOS-10496 Using the REST API to purge NetCDF granules causes a seemingly infinite loop
GEOS-10487 Custom logging configuration not respecting log location setting
GEOS-10468 (virtually) Impossible to turn off “Enable All Statistics” in > Server status > System Status
Tasks:
GEOS-10588 Build structure gs-sec-oauth2-core is duplicated in the reactor
GEOS-10585 Upgrade to Jetty from 9.4.44 to 9.4.48
GEOS-10579 Bump oshi-core from 6.2.0 to 6.2.1
GEOS-10562 Bump oshi-core from 5.8.6 to 6.2.0
GEOS-10551 Refactor commons-httpclient usage in the WPS module
GEOS-10532 FreemarkerTemplateManager API changes for easier subclassing
GEOS-10529 Use Awaitility to replace waits for condition in tests
GEOS-10525 Centralize and simplify management of common test dependencies
About GeoServer 2.21
Additional information on GeoServer 2.21 series:
GeoServer 2.20.5 Released
We are happy to announce GeoServer 2.20.5 release is available with downloads (bin, war, windows), along with docs and extensions.
This is a maintenance release of the 2.20.x series recommended for production systems. This release was made in conjunction with GeoTools 26.5 and GeoWebCache 1.20.3.
Improvements and Fixes
- The request logger is now configurable from the UI (form the “Global settings” panel),
- Importer improvements to support REPLACE mode on raster layers (in addition to the existing support for vector ones).
- The KML-PPIO module has graduated to extension (allows KML encoding of feature collections in WPS processes). It’s now included in the WPS plugin download.
- WPS fetching of remote inputs can be disabled.
- Allow controlling usage of headers in proxy base URL expansion at the workspace level.
For the full list of fixes and improvements, see 2.20.5 release notes.
About GeoServer 2.20
Additional information on GeoServer 2.20 series:
GeoServer 2.21.0 Release
GeoServer 2.21.0 release is now available with downloads (bin, war, windows), along with docs and extensions.
This is a first release of the new stable branch of GeoServer and is made in conjunction with GeoTools 27.0 and GeoWebCache 1.21.0.
- GeoServer now supports Java 17! This is likely to be the last release that supports Java 8 and we encourage users to start to make the transition to Java 11 during the lifetime of this branch.
- Thanks to everyone who help tested the release candidate on and off list: Daniel Calliess, Georg Weickelt, Stefan Overkamp, Nicolas Matzick, Sander Schaminee, Jose Garcia, Rosa Briones, Jody Garnett, Andrea Aime, Ian Turton.
Thanks to Ian Turton, Astun Technology, for making this release.
Feature Type Customization
We are pleased to share a long-requested feature - the ability to rename attributes and change attribute order when publishing a FeatureType.
It is also possible to change attribute type, and with the use of ECQL expressions generate new attributes on the fly.
The above example works around the limitations of shapefile to use longer names, and creates a new attribute capital
on the fly from an expression, as shown in the following GetFeatureInfo output.
This is a great new addition to GeoServer, please see Feture Type Details in the user guide for details.
- GEOS-10356 Allow feature type customization
Thanks to Andrea Aime (GeoSolutions) for proposal GSIP-207 and implementation, and Canton of Solothurn for funding the work.
Translations and Language Chooser
A big thanks to Alexandre Gacon and everyone who helped improve GeoServer internationalization for during this release cycle.
To support this activity Andrea Aime has contributed a language chooser to the top of the screen (near the login button).
For more information see Choosing the UI language (User Guide).
- GEOS-1158 Specify Geoserver UI Language in Configuration
Add Styles support to LayerGroup
Layer groups can now be configured with additional styles, with each style listing a series of layers along with the style used to render each layer.
This allows a SINGLE
or OPAQUE
layer group to list alternate styles in addition to the default one. Each alternate style is defined by a named configuration of layers and styles providing a unique visual representation.
In the above example the layer group Tasmania is setup with an alternate “data” presentation, presenting the content with the geoserver default styles point
, line
and polygon
.
For more information see Layer Group Styles (User Guide).
- GEOS-10252 Add Styles support to LayerGroup
- GEOS-10274 Geofence follow up LayerGroup Style addition
Thanks to Marco Volpini (GeoSolutions) for GSIP-205 proposal and implementation, and the Swedish Agency for Marine and Water Management for sponsoring this new functionality.
GeoPackage WMS and WFS Output
The result of proposal GSIP-206 is the creation of the gs-geopkg-output extension packaging up the WFS and WMS output formats from the geopackage community module.
curl "http://localhost:8080/geoserver/wfs?service=wfs&version=2.0.0&request=GetFeature&typeNames=topp:states&outputFormat=geopkg" -o wfs.gpkg
For more information see Using the GeoPackage Output Extension in the user guide.
- GEOS-10351 [GSIP 206] Promote GeoPackage WFS and WMS output formats to an extension
- GEOS-8793 WFS 1.1.0/2.0.0 GeoPackage output wrong Coordinate Order
Thanks to David Blasby and Jody Garnett (GeoCat) for packaging up this work as an extension. This work was supported in part by Rijkswaterstaat.
Mark Factory Precedence
When rendering maps with lots of individual graphics, looking up the correct implementation (known as a MarkFactory) can be time consuming.
WMS Settings have new capability to filter out any mark factories not being used, and provide an order to prioritise the ones being used.
For more information see WMS Web Administration (user guide).
- GEOS-10230 MarkFactory WMS rendering performance optimization
Thanks to Fernando Mino (GeoSolutions Group) for troubleshooting this performance issue, and proposal GSIP-204 as an optimization. Thanks to EMSA for sponsoring the improvement.
Log4J 2 Upgrade
The assessment of Log4Shell vulnerability highlighted that although GeoSever was not affected, our use of the older Log4j 1.2 was a notable risk. This discussion resulted a small fundraising effort and proposal to upgrade to Log4j 2.
The result is a small change to the user interface, listing logging profiles by name (previously the file extension was also listed).
Internally this release changes from Log4j 1.2 logging profiles (using properties
extension) to Log4j 2 logging profiles (using xml
extension):
-
The built-in logging profiles (
DEFAULT_LOGGING
,PRODUCTION_LOGGING
, …) are replaced with new Log4j 2xml
files. -
Previous custom logging profiles will continue to be available (Log4J 2 has the ability to read the older Log4J 1.2 properties files).
-
If you made any customizations to the built-in profiles, you can recover your changes from backup
bak
file. You can use this backup as a reference when creating a newxml
logging profile, or restore this under a different name which does not conflict with the built-in logging profiles.A customization to
PRODUCTION_LOGGING.properties
will be backed up toPRODUCTION_LOGGING.properties.bak
. This can be restored by renamingPRODUCTION_LOGGING.properties.bak
toCUSTOM_LOGGING.properties
.
In addition to the INFO
status messages, you will notice a new CONFIG
logging level used during application startup:
CONFIG [org.geoserver] - GeoServer configuration lock is enabled
CONFIG [org.geoserver] - Loading catalog...
...
For more information, and examples of writing a Log4J 2 profile, see Logging Settings and Advanced log configuration in the User Guide.
- GEOS-10426 GSIP 167: Upgrade Log4j
Thanks to Jody Garnett (GeoCat) for completing this work, and to the following sponsors for supporting this activity.
Logging REST API
For more information please see Logging settings (User Guide) and GeoServer Logging (REST API).
- GEOS-10368 Logging Controller Addition allows configuration of logging via REST API.
Thanks to Yalın Eren Deliorman (GeoSolutions) for this contribution, and Eumetsat for sponsoring the work.
New WPS settings and KML input/output support
A number of improvements have been made to the WPS service:
-
GEOS-10443 Graduate kml-ppio community module to wps extension. Thanks to GeoSolutions for taking the maintainership of the module, and Masego Inc. for sponsoring the graduation work.
KML can now be used with WPS service for both input and output parameters.
-
GEOS-10391 Add external output directory setting to limit where processes can write
See WPS setting for external output directory in User Guide.
-
GEOS-10431 Add WPS setting to disable remote complex inputs.
See WPS Security and input limits in the User Guide.
Thanks to the GeoNode project for these WPS improvements.
GDAL 3.x Compatibility
The gdal-output extension is tested against GDAL 3.x series.
Please pay careful attention to the installation instructions, while the extensions includes gdal-3.2.0.jar
you should double check the native binaries (included in your Linux distribution or installed by hand) and download an appropriate replacement jar online.
For more information see Installing GDAL native libraries in the User Guide.
- GEOS-10402 Upgrade imageio-ext to 1.4.0 (tested with gdal 3.2)
Thanks to Andrea Aime (GeoSolutions) for making the ImageIO-EXT release, and Jody Garnett (GeoCat) for GDAL 3.x upgrade and testing. This work was supported in part by Rijkswaterstaat.
Improvements and Fixes
New features:
- GEOS-10228 Add wrap_limit property to wrap the category text values of a legend
Improvements:
- GEOS-10146 App-schema: support for multiple geometries with different CRS
- GEOS-10246 jdbcconfig: performance slow-down from unnecessary transactions
- GEOS-10251 Refactor MapML vocabulary to map- custom elements HTML namespace
- GEOS-10463 Support WCS default value for Deflate Compression
- GEOS-10320 Support GetFeatureInfo on raster layers with transformations turning the output into vector
- GEOS-10405 GetFeatureInfo: Support multiple featureCollections per query layer
Fixes:
- GEOS-10226 ResourcePool leaves empty files on failure
- GEOS-10318 CSV output format for complex features doesn’t resolve namespace URIs to prefixes on attributes names
- GEOS-10235 Prevent double-quote to be specified as CSV separator
- GEOS-10477 SLD - Validation error on Normalize-node
- GEOS-10448 GetTimeSeries does not limit number of dates when using a time range request (without period)
- GEOS-10429 Style validation error using the VendorOption “graphic-margin”
- GEOS-10318 CSV output format for complex features doesn’t resolve namespace URIs to prefixes on attributes names
- GEOS-10502 GML3 output is not pretty printed when pretty print is turned on in global settings.
Tasks:
- GEOS-10458 Update jai-ext to 1.1.22
- GEOS-10446 Upgrade to commons-codec 1.15 version
- GEOS-10363 Switch from itextpdf to openpdf for PDF map rendering
About GeoServer 2.21
Additional information on GeoServer 2.21 series:
GeoServer 2.21-RC Release Candidate
GeoServer 2.21-RC release is now available with downloads (bin, war, windows), along with docs and extensions.
This is a GeoServer release candidate made in conjunction with GeoTools 27-RC and GeoWebCache 1.21-RC.
- Release candidates are a community building exercise and are not intended for production use.
- We ask the community (everyone: individuals, organizations, service providers) to download and thoroughly test this release candidate and report back.
- Testing priority is the new internationalization support
- Participating in testing release candidates is a key expectation of our open source social contract. We make an effort to thank each person who tests in our release announcement and project presentations!
- GeoServer commercial service providers are fully expected to test on behalf of their customers.
Release Candidate Testing Priorities
We would like to ask for your assistance testing the following:
-
Try out the new language chooser, and if you spot any translations you can help out with we would love your assistance translating geoserver.
-
The ability to customize feature types allows for a lot of creativity, please try this out and share your examples
-
This release features a new Log4J logging system. If you only choose between the built-in logging profiles we expect everything to be smooth an uneventful.
If you have made any custom logging profiles, or customized the built-in logging profiles in place, some additional care is required (see below). We are very interested in this upgrade process and ask for your feedback and testing at this time.
-
For those using GDAL or OGR please check the instructions below on upgrading to GDAL 3.
A reminder that open-source is a community activity and we ask everyone to take part at this time.
Feature Type Customization
We are pleased to share a long-requested feature - the ability to rename attributes and change attribute order when publishing a FeatureType.
It is also possible to change attribute type, and with the use of ECQL expressions generate new attributes on the fly.
The above example works around the limitations of shapefile to use longer names, and creates a new attribute capital
on the fly from an expression, as shown in the following GetFeatureInfo output.
This is a great new addition to GeoServer, please see Feture Type Details in the user guide for details.
- GEOS-10356 Allow feature type customization
Thanks to Andrea Aime (GeoSolutions) for proposal GSIP-207 and implementation.
Translations and Language Chooser
A big thanks to Alexandre Gacon and everyone who helped improve GeoServer internationalization for during this release cycle.
To support this activity Andrea Aime has contributed a language chooser to the top of the screen (near the login button).
For more information see Choosing the UI language (User Guide).
- GEOS-1158 Specify Geoserver UI Language in Configuration
Add Styles support to LayerGroup
Layer groups can now be configured with additional styles, with each style listing a series of layers along with the style used to render each layer.
This allows a SINGLE
or OPAQUE
layer group to list alternate styles in addition to the default one. Each alternate style is defined by a named configuration of layers and styles providing a unique visual representation.
In the above example the layer group Tasmania is setup with an alternate “data” presentation, presenting the content with the geoserver default styles point
, line
and polygon
.
For more information see Layer Group Styles (User Guide).
- GEOS-10252 Add Styles support to LayerGroup
- GEOS-10274 Geofence follow up LayerGroup Style addition
Thanks to Marco Volpini (GeoSolutions) for GSIP-205 proposal and implementation.
GeoPackage WMS and WFS Output
The result of proposal GSIP-206 is the creation of the gs-geopkg-output extension packaging up the WFS and WMS output formats from the geopackage community module.
curl "http://localhost:8080/geoserver/wfs?service=wfs&version=2.0.0&request=GetFeature&typeNames=topp:states&outputFormat=geopkg" -o wfs.gpkg
For more information see Using the GeoPackage Output Extension in the user guide.
- GEOS-10351 [GSIP 206] Promote GeoPackage WFS and WMS output formats to an extension
- GEOS-8793 WFS 1.1.0/2.0.0 GeoPackage output wrong Coordinate Order
Thanks to David Blasby and Jody Garnett (GeoCat) for packaging up this work as an extension.
Mark Factory Precedence
When rendering maps with lots of individual graphics, looking up the correct implementation (known as a MarkFactory) can be time consuming.
WMS Settings have new capability to filter out any mark factories not being used, and provide an order to prioritise the ones being used.
For more information see WMS Web Administration (user guide).
- GEOS-10230 MarkFactory WMS rendering performance optimization
Thanks to Fernando Mino (GeoSolutions Group) for troubleshooting this performance issue, and proposal GSIP-205 as an optimization.
Log4J 2 Upgrade
The assessment of Log4Shell vulnerability highlighted that although GeoSever was not affected, our use of the older Log4j 1.2 was a notable risk. This discussion resulted a small fundraising effort and proposal to upgrade to Log4j 2.
The result is a small change to the user interface, listing logging profiles by name (previously the file extension was also listed).
Internally this release replaces changes from Log4j 1.2 logging profiles (using properties
extension) to Log4j 2 logging profiles (using xml
extension):
-
The built-in logging profiles (
DEFAULT_LOGGING
,PRODUCTION_LOGGING
, …) are replaced with new Log4j 2xml
files. -
Previous custom logging profiles will continue to be available (Log4J 2 has the ability to read the older Log4J 1.2 properties files).
-
If you made any customizations to the built-in profiles, you can recover your changes from backup
bak
file. You can use this backup as a reference when creating a newxml
logging profile, or restore this under a different name which does not conflict with the built-in logging profiles.A customization to
PRODUCTION_LOGGING.properties
will be backed up toPRODUCTION_LOGGING.properties.bak
. This can be restored by renamingPRODUCTION_LOGGING.properties.bak
toCUSTOM_LOGGING.properties
.
In addition to the INFO
status messages, you will notice a new CONFIG
logging level used during application startup:
CONFIG [org.geoserver] - GeoServer configuration lock is enabled
CONFIG [org.geoserver] - Loading catalog...
...
For more information, and examples of writing on log4J 2 profile, see Logging Settings and Advanced log configuration in the User Guide. Of note is the introduction of a new CONFIG
logging level used loading and saving configuration changes.
- GEOS-10426 GISP 167: Upgrade Log4j
Thanks to Jody Garnett (GeoCat) for completing this work, and to the following sponsors for supporting this activity.
Logging REST API
For more information please see Logging settings (User Guide) and GeoServer Logging (REST API).
- GEOS-10368 Logging Controller Addition allows configuration of logging via REST API.
Thanks to Yalın Eren Deliorman for this contribution.
New WPS settings and KML input/output support
A number of improvements have been made to the WPS service:
-
GEOS-10443 Graduate kml-ppio community module to wps extension
KML can now be used with WPS service for both input and output parameters.
-
GEOS-10391 Add external output directory setting to limit where processes can write
See WPS setting for external output directory in User Guide.
-
GEOS-10431 Add WPS setting to disable remote complex inputs.
See WPS Security and input limits in User Guide.
GDAL 3.x Compatibility
The gdal-output extension is tested against GDAL 3.x series.
Please pay careful attention to the installation instructions, while the extensions includes gdal-3.2.0.jar
you should double check the native binaries (included in your Linux distribution or installed by hand) and download an appropriate replacement jar online.
For more information see Installing GDAL native libraries in the User Guide.
- GEOS-10402 Upgrade imageio-ext to 1.4.0 (tested with gdal 3.2)
Thanks to Andrea Aime (GeoSolutions) for making the ImageIO-EXT release, and Jody Garnett (GeoCat) for GDAL 3.x upgrade and testing.
Improvements and Fixes
New features:
- GEOS-10228 Add wrap_limit property to wrap the category text values of a legend
Improvements:
- GEOS-10146 App-schema: support for multiple geometries with different CRS
- GEOS-10246 jdbcconfig: performance slow-down from unnecessary transactions
- GEOS-10251 Refactor MapML vocabulary to map- custom elements HTML namespace
- GEOS-10463 Support WCS default value for Deflate Compression
- GEOS-10320 Support GetFeatureInfo on raster layers with transformations turning the output into vector
- GEOS-10405 GetFeatureInfo: Support multiple featureCollections per query layer
Fixes:
- GEOS-10226 ResourcePool leaves empty files on failure
- GEOS-10318 CSV output format for complex features doesn’t resolve namespace URIs to prefixes on attributes names
- GEOS-10235 Prevent double-quote to be specified as CSV separator
- GEOS-10477 SLD - Validation error on Normalize-node
- GEOS-10448 GetTimeSeries does not limit number of dates when using a time range request (without period)
- GEOS-10429 Style validation error using the VendorOption “graphic-margin”
- GEOS-10318 CSV output format for complex features doesn’t resolve namespace URIs to prefixes on attributes names
Tasks:
- GEOS-10458 Update jai-ext to 1.1.22
- GEOS-10446 Upgrade to commons-codec 1.15 version
- GEOS-10363 Switch from itextpdf to openpdf for PDF map rendering
About GeoServer 2.21
Additional information on GeoServer 2.21 series:
Release notes: ( 2.21-RC )
Jiffle and GeoTools RCE vulnerabilities
A few critical vulnerabilities have been located in the GeoServer ecosystem that allow Remote Code Execution. This article describes the vulnerabilities, their mitigation, and links to patched versions of the various projects involved.
All the issues described in this post have been patched in:
- GeoServer 2.20.4, 2.19.6 or 2.18.6
- GeoWebCache 1.20.2, 1.19.3 or 1.18.5
- GeoTools 26.4, 25.6 or 24.6
- JAI-EXT 1.1.22
The rest of the POST describes the issues and their mitigation.
RCE in Jiffle
The Jiffle map algebra language, provided by jai-ext, allows efficiently execute map algebra over large images. A vulnerability has been recently found in Jiffle, that allows a Code Injection to be performed by properly crafting a Jiffle invocation.
In the case of GeoServer, the injection can be performed from a remote request.
Assessment
GeoTools includes the Jiffle language as part of the gt-process-raster-<version>
module, applications
using it should check whether it’s possible to provide a Jiffle script from remote, and if so, upgrade
or remove the functionality (see also the GeoServer mitigation, below).
Stand-alone GeoWebCache is not affected, as it does not include Jiffle support.
The issue is of particular interest for GeoServer users, as GeoServer embeds Jiffle in the base WAR package. Jiffle is available as a OGC function, for usage in SLD rendering transformations.
This allows for a Remote Code Execution in properly crafted OGC requests, as well as from the administration console, when editing SLD files.
Mitigations
In case you cannot upgrade at once, then the following mitigation is strongly recommended:
- Stop GeoServer
- Open the war file, get into
WEB-INF/lib
and remove thejanino-<version>.jar
- Restart GeoServer.
This effectively removes the Jiffle ability to compile scripts in Java code, from any of the potential attack vectors (Janino is the library used to turn the Java code generated from the Jiffle script, into executable bytecode).
GeoServer should still work properly after the removal, but any attempt to use Jiffle will result in an exception.
Resolution
Issue:
- GEOS-10458 Upgrade to JAI-EXT 1.1.22
RCE in JNDI lookups
The GeoTools data stores, as well as the disk quota mechanism of GeoWebCache, and the JDBC user/role providers for GeoServer can all fetch connection pools from JNDI.
A properly crafted JNDI source name can cause uncontrolled deserialization of classes and eventually a Remote Code Execution, in a way similar to Log4Shell. However, unlike Log4Shell, it requires the administrator to enter these strings.
Mitigations
In terms of mitigation, GeoTools users should make sure the JNDI strings given to stores cannot be provided from remote, or external parties, without validation.
Stand-alone GeoWebCache users must now allow external or remote users to change the disk quota XML configuration files, guarding both local file system access, and the REST configuration API. The REST API can only be accessed authenticating as administrator, good practices in this regard involve:
- Disallowing remote access to the “/rest” endpoint in a GeoWebCache installation
- Rotating the administrator passwords.
GeoServer is affected though the Web administration interface and the REST configuration API, both of which require an administrator login to be used in order to setup JNDI connection strings. In order to mitigate the issue:
- Disallow remote access to the “/rest” and “/web” endpoints in a GeoServer installation.
- Change/rotate the administrator passwords.
Resolution
The following issues have been resolved, and patched releases are available.
Issue:
- GEOT-7115 Streamline JNDI lookups
Thanks to Andrea Aime (GeoSolutions) for working so hard on this fix.
SpringShell
Both GeoServer and GeoWebCache use Spring MVC, for REST API controllers in both projects, and for the OGC API, GSR and taskmanager community modules, in GeoServer. The projects are commonly deployed as WAR files in Tomcat, with a fair amount of deploys using Java 11 and above.
This sets up both projects for exploit via the SpringShell vulnerability. however we looked, and could not find an actual attack vector.
This release train updates to newer a version of spring-framework that patched this potential issue.
Mitigations
For those that cannot upgrade, the recommended mitigations are:
- Run GeoServer and GeoWebCache on Java 8 instead, which is not vulnerable to the issue.
- Upgrade Tomcat to the releases that patched the attack vector, either 9.0.62 or 8.5.78 (don’t try to use Tomcat 10.x, GeoServer cannot run on it due to incompatible J2EE libraries).
- For extra security, limit access to the REST API, and remove community modules providing new service endpoints (OGC API, GSR, taskmanager).
Resolution
Although GeoServer assessment did not identify any issue we have now updated the the spring framework library.
Issue:
- GEOS-10445 Upgrade springframework from 5.1.20.RELEASE to 5.2.20.RELEASE
Thanks to Gabriel Roldan (camptocamp) for troubleshooting and performing this spring-framework update.
Vulnerability
- GeoServer 2.26.2 Release
- GeoServer 2.26.1 Release
- GeoServer 2.25.4 Release
- GeoServer 2.26.0 Release
- CVE-2024-36401 Remote Code Execution (RCE) vulnerability in evaluating property name expressions
- GeoServer 2.25.2 Release
- GeoServer 2.24.4 Release
- GeoServer 2.23.6 Release
- GeoServer 2.25.1 Release
- GeoServer 2.25.0 Release