GeoServer has encountered an remote execution vulnerability in the REST API (used for remote administration).

This vulnerability GEOS-7124 is addressed in the following scheduled releases:

Thanks to Andrea Aime (GeoSolutions) and Kevin Smith (Boundless) for both fixing this issue and back porting to the stable and maintenance series.

Users are encouraged to upgrade, keeping in mind exposure to this issue is limited to scripts using administrator credentials to access the REST API. Accounts making use of gsconfig (Python Library) also make use of these facilities.

About Remote Execution

For more information see redhat security article on remote code execution via serialized data.

Responsible Disclosure

Thanks to Matthias Kaiser for reporting this issue.

If you encounter a security vulnerability in GeoServer (or any other open source software) please take care to report the issue in a responsible fashion:

  • Keep exploit details out of issue report (send to developer/PSC privately - just like you would do for sensitive sample data)

  • Be prepared to work with Project Steering Committee (PSC) members on a solution

  • Keep in mind PSC members are volunteers and an extensive fix may require fundraising / resources

If you are not in position to communicate in public (or make use of the issue tracker) please consider commercial support, contacting a PSC member privately or contacting us via the Open Source Geospatial Foundation at info@osgeo.org.