A vulnerability has located in the Spring Framework ecosystem that allow Remote Code Execution. This article describes the vulnerability, assessment, mitigation, and links to patched versions of the various projects involved.

Please do not contact us asking about this vulnerability unless you are reporting an actual demonstration of the problem in a GeoServer installation or are offering to assist in the upgrade process with developer time or money.

If you wish to report a security vulnerability, see instructions on responsible reporting. We also welcome your direct financial support.

Spring4Shell (CVE-2022-22965)

A recently discovered vulnerability in the Spring (CVE-2022-22965) has been reported as affecting systems running Java 9+.

Note systems using Java 8 are not thought to be vulnerable at this time.

Assessment

Both GeoServer and GeoWebCache use Spring MVC, for REST API controllers in both projects, and for the OGC API, GSR and taskmanager community modules, in GeoServer. The projects are commonly deployed as WAR files in Tomcat, with a fair amount of deploys using Java 11 and above.

This sets up both projects for exploit on the SpringShell vulnerability.

We looked , and could not find an actual attack vector yet, but have scheduled a release that contains a spring-framework update that patches the potential issue.

Mitigation

For those that cannot upgrade, the recommended mitigations are:

• Run GeoServer and GeoWebCache on Java 8 instead, which is not vulnerable to the issue.
• Upgrade Tomcat to the releases that patched the attack vector, either 9.0.62 or 8.5.78 (don’t try to use Tomcat 10.x, GeoServer cannot run on it due to incompatible J2EE libraries).
• For extra security, limit access to the REST API, and remove community modules providing new service endpoints (OGC API, GSR, taskmanager).

Resolution

We are working on upgrading to a patched version of the spring framework library and will post an update when that work is complete.

Issue:

• GEOS-10445 Upgrade springframework from 5.1.20.RELEASE to 5.2.20.RELEASE

Patched releases:

• We have now updated the the spring framework library used, please upgrade to GeoServer 2.20.4 stable release, or GeoServer 2.19.6 maintenance release.

Thanks to everyone who reported this issue, Andrea Aime (GeoSolutions) for initial assessment, and to Gabriel Roldan (camptocamp) for troubleshooting and performing this spring-framework update.

GeoServer 2.20.3 release is now available with downloads (bin, war, windows), along with docs and extensions.

This is a stable release of the 2.20.x series recommended for production systems. This release was made in conjunction with GeoTools 26.3.

Thanks to everyone who contributed, and to Jody Garnett (GeoCat) for making this release.

Security Considerations

This release includes several security enhancements and is a recommended upgrade for production systems.

This release includes two improvements limiting Server-side request forgery (SSRF) opportunities:

• GEOS-10389 Introduce ENTITY_RESOLUTION_ALLOWLIST parameter to further restrict external entity resolution.

  See the user guide on external entities resolution for instructions on use. Keep in mind that the application schema plugin requires external entity resolution to local files be available. The global setting required by application schema has been renamed to Unrestricted XML External Entity Resolution.

• GEOS-10384 Change GetMap to URIKvpParser.

  This improvement is used in conjunction with WMS dynamic styling setting disabling of SLD and SLD_BODY parameters. By handling SLD and SLD_BODY as URI values we can avoid a well-known java side-effect when comparing URL values.

We would like to thank GeoCat for addressing these two issues on behalf of Fisheries and Oceans Canada. If you wish to report a security vulnerability, please visit our website for instructions on responsible reporting.

Improvements and Fixes

Improvements:

• GEOS-10367 Allow GetTimeSeries to have a maximum times limit separate than WMS max dimensions

Fixes:

• GEOS-10379 WCS 2.0 requested ScaleSize not being respected when crossing the dateline

• GEOS-10377 Layers and Layer Groups get default abstract in capabilities document when none set in configuration.

• GEOS-10373 GetTimeSeries does not work on source data with time ranges

• GEOS-10362 Username remains in roles.xml after user removal operation

• GEOS-10316 Regression in 2.20.x: Unable to specify JAVA_OPTS for startup.sh

• GEOS-10066 CSS ArrayList class cast exception in layer rendering

• GEOS-9785 Invalid argument type=null when trying to use gs:Download WPS identifier

• GEOS-9770 Cascading WMS server sets invalid I and J when using EPSG:3006 on GetFeatureInfo calls

For more information see 2.20.3 release notes.

About GeoServer 2.20

Additional information on GeoServer 2.20 series:

• Log4J2 zero day vulnerability assessment
• Internationalization of title and abstract
• State of GeoServer 2.20 edition
• Windows Installer

Release notes: ( 2.20.3 | 2.20.2 | 2.20.1 | 2.20.0 | 2.20-RC )

The GeoServer team are happy to announce GeoServer 2.19.5 release is available for download (zip and war) along with docs and extensions.

This GeoServer 2.19.5 release was produced in conjunction with GeoTools 25.5 and GeoWebCache 1.19.2, this is a maintenance release recommended for production systems.

Thanks to everyone who contributed, and to Ian Turton (Astun Technology) for making this release.

Security Considerations

This release includes several security enhancements and is a recommended update for production systems.

This release includes two improvements limiting Server-side request forgery (SSRF) opportunities:

• GEOS-10389 Introduce ENTITY_RESOLUTION_ALLOWLIST parameter to further restrict external entity resolution.

  See the user guide on external entities resolution for instructions on use. Keep in mind that the application schema plugin requires external entity resolution to local files be available. The global setting required by application schema has been renamed to Unrestricted XML External Entity Resolution.

• GEOS-10384 Change GetMap to URIKvpParser.

  This improvement is used in conjunction with WMS dynamic styling setting disabling of SLD and SLD_BODY parameters. By handling SLD and SLD_BODY as URI values we can avoid a well-known java side-effect when comparing URL values.

We would like to thank GeoCat for addressing these two issues on behalf of Fisheries and Oceans Canada. If you wish to report a security vulnerability, please visit our website for instructions on responsible reporting.

Improvements and Fixes

Fixes:

• GEOS-9785 Invalid argument type=null when trying to use gs:Download WPS identifier
• GEOS-9770 Cascading WMS server sets invalid I and J when using EPSG:3006 on GetFeatureInfo calls

About GeoServer 2.19

Additional information on GeoServer 2.19 series:

• Log4J2 zero day vulnerability assessment
• WMS GetFeatureInfo includes labels from ColorMap
• Promote WMTS multidim to extension
• Promote WPS-Download to extension
• Promote params-extractor to extension
• Promote GWC-S3 to extension
• Promote WPS-JDBC to extension status
• Promote MapML to extension status
• GeoServer repository transition to main branch

Release notes ( 2.19.5 | 2.19.4 | 2.19.3 | 2.19.2| 2.19.1 | 2.19.0 | 2.19-RC )

We are happy to announce GeoServer 2.20.2 release is available with downloads (bin, war, windows), along with docs and extensions.

This is a stable release of the 2.20.x series recommended for production systems. This release was made in conjunction with GeoTools 26.2 and GeoWebCache 1.20.1.

Security Considerations

This release includes several security enhancements and is a recommended upgrade for production systems:

• GeoServer uses the earlier log4j1 library and is not subject to the Log4j2 remote code execution vulnerabilities reported worldwide. For a detailed discussion please read GeoServer Log4J2 zero day vulnerability assessment.

  The release of GeoServer includes a patched version of log4j1 which does not include any remote loggers or socket communication.

If you wish to report a security vulnerability, please visit our website for instructions on responsible reporting.

Mark Factory Precedence

When rendering maps with lots of individual graphics, looking up the correct implementation (known as a MarkFactory) can be time consuming.

WMS Settings have new capability to filter out any mark factories not being used, and provide an order to prioritise the ones being used.

For more information see WMS Web Administration (user guide).

Source Code

For developers building from source, we have committed a .gitattributes file to help preserve consistent line encoding across our repository.

With this change it is no longer necessary to set your global configuration to core.autocrlf=input.

Use git reset as outlined below if encounter difficulty updating your checkout:

git pull --rebase
git reset --hard

Improvements and Fixes

• WMS rendering preserves region of interest when clipping working with palette based images
• Importer improvements to better report failed imports and clean up stale importer contents
• WCS return coverages whose native BBOX are slightly outside of the dateline
• Reduce the CPU load of returning Server Status information using OSHI on windows

For more information see 2.20.2 release notes.

About GeoServer 2.20

Additional information on GeoServer 2.20 series:

• Log4J2 zero day vulnerability assessment
• Internationalization of title and abstract
• State of GeoServer 2.20 edition
• Windows Installer

Release notes: ( 2.20.2 | 2.20.1 | 2.20.0 | 2.20-RC )

While GeoServer is not vulnerable to Log4J2 Log4Shell vulnerability, we would like to thank everyone who has reached out with offers of concern and assistance.

The Log4J 1.2 library used by GeoServer has a number of smaller vulnerabilities which we would like to address. While the GeoServer default configuration is not vulnerable it is time to upgrade or replace this library. If you are at all concerned, locate WEB-INF/lib/log4j-1.2.17.jar and replace with our custom log4j-1.2.17.norce.jar, and restart GeoServer.

The GeoSever Project Steering Committee invites:

• Proposals for updating or replacing the Log4J1 library used by GeoServer.

  Successful proposals should consider changes required to GeoTools logging (which bridges from java utility logging to selected logging library), integration with GeoWebCache (uses apache-commons-logging to delegate to selected logging library), and GeoServer (which allows users to select different logging profiles without restarting the application).

• Sponsors interested in funding this activity as a security concern.

  Organizations running GeoServer in a cloud environment are also encouraged to fund this activity. The leading contenders (log4j2,logback,java util logging) provide better integration with cloud logging services than the log4j1 library presently used.

This is a time sensitive activity as we would like to select a good proposal and see the result implemented for the upcoming GeoServer 2.21-RC Release Candidate in March.

Thanks to activity sponsors for your support:

• opengeogroep.nl
• www.terrestris.de
• how2map.com
• www.geonovation.nl
• Add your name here via OSGeo GitHub Sponsorship (monthly donation), PayPal (one time donation), or OSGeo sponsorship (direct invoice).

For more information visit updating or replacing the Log4J1 wiki page.