GeoServer 2.20.4 release is now available with downloads (bin, war, windows), along with docs and extensions.

This is a stable release of the 2.20.x series recommended for production systems. This release was made in conjunction with GeoTools 26.4.

Thanks to everyone who contributed, and to Andrea Aime (GeoSolutions) and Jody Garnett (GeoCat) for making this release.

Security Considerations

This release includes several security enhancements and is a recommended upgrade for production systems.

This release includes two improvements addressing Jiffle and GeoTools RCE vulnerabilities:

• GEOS-10458 Upgrade to JAI-EXT 1.1.22

• GEOT-7115 Streamline JNDI lookups

This release also includes:

• GEOS-10445 Upgrade springframework from 5.1.20.RELEASE to 5.2.20.RELEASE

  Although GeoServer assessment did not identify any issue we have now updated the the spring framework library.

2024-06-30 Update: The following mitigation has been provided:

• CVE-2024-36401 Remote Code Execution (RCE) vulnerability in evaluating property name expressions (Critical)

  geoserver-2.20.4-patches (replacing gt-app-schema, gt-complex and gt-xsd-core jars) has been provided by Andrea (GeoSolutions)

See project security policy for more information on how security vulnerabilities are managed.

Add Styles support to LayerGroup

Allows layer group (layer mode SINGLE or OPAQUE) list alternate styles in addition to the default one. Each alternate style is defined by a named configuration of layers and styles providing a unique visual representation.

• GEOS-10252 Add Styles support to LayerGroup
• GEOS-10274 Geofence follow up LayerGroup Style addition

For more information see GSIP-205 Add Styles support to LayerGroup proposa.

Improvements and Fixes

Improvements:

• GEOS-10434 Externalized GeoServer environment properties

• GEOS-10427 Improve access check in ImportProcess

• GEOS-10409 Improve deletion of WPS Execute input temp files

Fixes:

• GEOS-10437 Breaking SLD 1.1 style by REST upload

• GEOS-10419 NullPointerException from GeoServerOAuthAuthenticationFilter

• GEOS-10418 Bad request sent to GeoFence when matching roles only

• GEOS-10401 WPS GetExecutionResult doesn’t validate the mimetype parameter

• GEOS-10400 Disabling WMS dynamic styling does not affect GetLegendGraphic requests

• GEOS-10393 WFS-T deletes the wrong features (and further BatchManager issues)

• GEOS-9978 WMS vendor parameter CLIP - ignores TIME/CQL_FILTER and other parameters when using with ImageMosaic

Tasks:

• GEOS-10445 Upgrade springframework from 5.1.20.RELEASE to 5.2.20.RELEASE

• GEOS-10303 Upgrade to jackson 2.13.2

For more information see 2.20.4 release notes.

About GeoServer 2.20

Additional information on GeoServer 2.20 series:

• Jiffle and GeoTools RCE vulnerabilities
• Spring RCE Spring4Shell CVE-2022-22965 assessment
• Log4J2 zero day vulnerability assessment
• Internationalization of title and abstract
• State of GeoServer 2.20 edition
• Windows Installer

Release notes: ( 2.20.4 | 2.20.3 | 2.20.2 | 2.20.1 | 2.20.0 | 2.20-RC )

GeoServer 2.19.6 release is now available with downloads (bin, war, windows), along with docs and extensions.

This is an extra maintenance release of the 2.19.x series recommended for production systems. This release was made in conjunction with GeoTools 25.6.

Thanks to everyone who contributed, and to Andrea Aime (GeoSolutions) for making this release.

Security Considerations

This release includes several security enhancements and is a recommended upgrade for production systems.

This release includes two improvements addressing Jiffle and GeoTools RCE vulnerabilities:

• GEOS-10458 Upgrade to JAI-EXT 1.1.22

• GEOT-7115 Streamline JNDI lookups

This release also includes:

• GEOS-10445 Upgrade springframework from 5.1.20.RELEASE to 5.2.20.RELEASE

  Although GeoServer assessment did not identify any issue we have now updated the the spring framework library.

Improvements and Fixes

Fixes:

• GEOS-10437 Breaking SLD 1.1 style by REST upload

• GEOS-10336 INSPIRE failure: version not propagated in GetCapabilities LegendURL

• GEOS-9978 WMS vendor parameter CLIP - ignores TIME/CQL_FILTER and other parameters when using with ImageMosaic

Tasks:

• GEOS-10303 Upgrade to jackson 2.13.2

For more information see 2.19.6 release notes.

About GeoServer 2.19

Additional information on GeoServer 2.19 series:

• Jiffle and GeoTools RCE vulnerabilities
• Log4J2 zero day vulnerability assessment
• WMS GetFeatureInfo includes labels from ColorMap
• Promote WMTS multidim to extension
• Promote WPS-Download to extension
• Promote params-extractor to extension
• Promote GWC-S3 to extension
• Promote WPS-JDBC to extension status
• Promote MapML to extension status
• GeoServer repository transition to main branch

Release notes ( 2.19.6 | 2.19.5 | 2.19.4 | 2.19.3 | 2.19.2 | 2.19.1 | 2.19.0 | 2.19-RC )

GeoServer 2.18.6 release is now available with downloads (bin, war, windows), along with docs and extensions.

This is an extra maintenance release of the 2.18.x series recommended for production systems that have not yet upgraded to 2.19. This release was made in conjunction with GeoTools 24.6.

Thanks to everyone who contributed, and to Andrea Aime (GeoSolutions) and Jody Garnett (GeoCat) for making this release.

Security Considerations

This release includes security enhancements and is a recommended upgrade for production systems.

This release includes two improvements addressing Jiffle and GeoTools RCE vulnerabilities:

• GEOS-10458 Upgrade to JAI-EXT 1.1.22

• GEOT-7115 Streamline JNDI lookups

This release also includes:

• GEOS-10445 Upgrade Spring Framework from 5.1.20.RELEASE to 5.2.20.RELEASE

  Although GeoServer assessment did not identify any issue we have now updated the the spring framework library.

Improvements and Fixes

• GEOS-10437 Breaking SLD 1.1 style by REST upload

• GEOS-10249 GWC produce NPE when it comes to race condition

• GEOS-10215 Layers nested inside a group maintain their prefix even in workspace specific services

• GEOS-10213 WMS requests fail on LayerGroup default style names, when used in GetMap/GetFeatureInfo/GetLegendGraphics

• GEOS-10200 GetLegendGraphic can fail if SCALE removes all rules

• GEOS-10321 WCS 2.0 might fail to return coverages whose native BBOX goes slighly outside of the dateline

• GEOS-10194 Improve importer LOGGING

• GEOS-10335 Update GeoServer to a log4j version that does not support RCEs

For more information see 2.18.6 release notes.

About GeoServer 2.18

Additional information on GeoServer 2.18 series:

• Jiffle and GeoTools RCE vulnerabilities
• Log4J2 zero day vulnerability assessment
• State of GeoServer 2.18 (slides)

• GeoServer Orientation (slides

  video)

Release Notes ( 2.18.6 | 2.18.5 | 2.18.4 | 2.18.3 | 2.18.2 | 2.18.1 | 2.18.0 | 2.18-RC )

A vulnerability has located in the Spring Framework ecosystem that allow Remote Code Execution. This article describes the vulnerability, assessment, mitigation, and links to patched versions of the various projects involved.

Please do not contact us asking about this vulnerability unless you are reporting an actual demonstration of the problem in a GeoServer installation or are offering to assist in the upgrade process with developer time or money.

If you wish to report a security vulnerability, see instructions on responsible reporting. We also welcome your direct financial support.

Spring4Shell (CVE-2022-22965)

A recently discovered vulnerability in the Spring (CVE-2022-22965) has been reported as affecting systems running Java 9+.

Note systems using Java 8 are not thought to be vulnerable at this time.

Assessment

Both GeoServer and GeoWebCache use Spring MVC, for REST API controllers in both projects, and for the OGC API, GSR and taskmanager community modules, in GeoServer. The projects are commonly deployed as WAR files in Tomcat, with a fair amount of deploys using Java 11 and above.

This sets up both projects for exploit on the SpringShell vulnerability.

We looked , and could not find an actual attack vector yet, but have scheduled a release that contains a spring-framework update that patches the potential issue.

Mitigation

For those that cannot upgrade, the recommended mitigations are:

• Run GeoServer and GeoWebCache on Java 8 instead, which is not vulnerable to the issue.
• Upgrade Tomcat to the releases that patched the attack vector, either 9.0.62 or 8.5.78 (don’t try to use Tomcat 10.x, GeoServer cannot run on it due to incompatible J2EE libraries).
• For extra security, limit access to the REST API, and remove community modules providing new service endpoints (OGC API, GSR, taskmanager).

Resolution

We are working on upgrading to a patched version of the spring framework library and will post an update when that work is complete.

Issue:

• GEOS-10445 Upgrade springframework from 5.1.20.RELEASE to 5.2.20.RELEASE

Patched releases:

• We have now updated the the spring framework library used, please upgrade to GeoServer 2.20.4 stable release, or GeoServer 2.19.6 maintenance release.

Thanks to everyone who reported this issue, Andrea Aime (GeoSolutions) for initial assessment, and to Gabriel Roldan (camptocamp) for troubleshooting and performing this spring-framework update.

GeoServer 2.20.3 release is now available with downloads (bin, war, windows), along with docs and extensions.

This is a stable release of the 2.20.x series recommended for production systems. This release was made in conjunction with GeoTools 26.3.

Thanks to everyone who contributed, and to Jody Garnett (GeoCat) for making this release.

Security Considerations

This release includes several security enhancements and is a recommended upgrade for production systems.

This release includes two improvements limiting Server-side request forgery (SSRF) opportunities:

• GEOS-10389 Introduce ENTITY_RESOLUTION_ALLOWLIST parameter to further restrict external entity resolution.

  See the user guide on external entities resolution for instructions on use. Keep in mind that the application schema plugin requires external entity resolution to local files be available. The global setting required by application schema has been renamed to Unrestricted XML External Entity Resolution.

• GEOS-10384 Change GetMap to URIKvpParser.

  This improvement is used in conjunction with WMS dynamic styling setting disabling of SLD and SLD_BODY parameters. By handling SLD and SLD_BODY as URI values we can avoid a well-known java side-effect when comparing URL values.

We would like to thank GeoCat for addressing these two issues on behalf of Fisheries and Oceans Canada. If you wish to report a security vulnerability, please visit our website for instructions on responsible reporting.

Improvements and Fixes

Improvements:

• GEOS-10367 Allow GetTimeSeries to have a maximum times limit separate than WMS max dimensions

Fixes:

• GEOS-10379 WCS 2.0 requested ScaleSize not being respected when crossing the dateline

• GEOS-10377 Layers and Layer Groups get default abstract in capabilities document when none set in configuration.

• GEOS-10373 GetTimeSeries does not work on source data with time ranges

• GEOS-10362 Username remains in roles.xml after user removal operation

• GEOS-10316 Regression in 2.20.x: Unable to specify JAVA_OPTS for startup.sh

• GEOS-10066 CSS ArrayList class cast exception in layer rendering

• GEOS-9785 Invalid argument type=null when trying to use gs:Download WPS identifier

• GEOS-9770 Cascading WMS server sets invalid I and J when using EPSG:3006 on GetFeatureInfo calls

For more information see 2.20.3 release notes.

About GeoServer 2.20

Additional information on GeoServer 2.20 series:

• Log4J2 zero day vulnerability assessment
• Internationalization of title and abstract
• State of GeoServer 2.20 edition
• Windows Installer

Release notes: ( 2.20.3 | 2.20.2 | 2.20.1 | 2.20.0 | 2.20-RC )