Spring4Shell RCE vulnerability
A vulnerability has located in the Spring Framework ecosystem that allow Remote Code Execution. This article describes the vulnerability, assessment, mitigation, and links to patched versions of the various projects involved.
Please do not contact us asking about this vulnerability unless you are reporting an actual demonstration of the problem in a GeoServer installation or are offering to assist in the upgrade process with developer time or money.
If you wish to report a security vulnerability, see instructions on responsible reporting. We also welcome your direct financial support.
Spring4Shell (CVE-2022-22965)
A recently discovered vulnerability in the Spring (CVE-2022-22965) has been reported as affecting systems running Java 9+.
Note systems using Java 8 are not thought to be vulnerable at this time.
Assessment
Both GeoServer and GeoWebCache use Spring MVC, for REST API controllers in both projects, and for the OGC API, GSR and taskmanager community modules, in GeoServer. The projects are commonly deployed as WAR files in Tomcat, with a fair amount of deploys using Java 11 and above.
This sets up both projects for exploit on the SpringShell vulnerability.
We looked , and could not find an actual attack vector yet, but have scheduled a release that contains a spring-framework update that patches the potential issue.
Mitigation
For those that cannot upgrade, the recommended mitigations are:
- Run GeoServer and GeoWebCache on Java 8 instead, which is not vulnerable to the issue.
- Upgrade Tomcat to the releases that patched the attack vector, either 9.0.62 or 8.5.78 (don’t try to use Tomcat 10.x, GeoServer cannot run on it due to incompatible J2EE libraries).
- For extra security, limit access to the REST API, and remove community modules providing new service endpoints (OGC API, GSR, taskmanager).
Resolution
We are working on upgrading to a patched version of the spring framework library and will post an update when that work is complete.
Issue:
- GEOS-10445 Upgrade springframework from 5.1.20.RELEASE to 5.2.20.RELEASE
Patched releases:
- We have now updated the the spring framework library used, please upgrade to GeoServer 2.20.4 stable release, or GeoServer 2.19.6 maintenance release.
Thanks to everyone who reported this issue, Andrea Aime (GeoSolutions) for initial assessment, and to Gabriel Roldan (camptocamp) for troubleshooting and performing this spring-framework update.
Vulnerability
- GeoServer 2.26.1 Release
- GeoServer 2.25.4 Release
- GeoServer 2.26.0 Release
- CVE-2024-36401 Remote Code Execution (RCE) vulnerability in evaluating property name expressions
- GeoServer 2.25.2 Release
- GeoServer 2.24.4 Release
- GeoServer 2.23.6 Release
- GeoServer 2.25.1 Release
- GeoServer 2.25.0 Release
- GeoServer 2.23.5 Release