OGC Filter Injection Vulnerability Statement
A vulnerability has located in the GeoTools Library that allows SQL Injection using OGC Filter and Function expressions.
- CVE-2023-25157 OGC Filter SQL Injection Vulnerabilities (GeoServer)
- CVE-2023-25158 OGC Filter SQL Injection Vulnerabilities (GeoTools)
If you wish to report a security vulnerability, see instructions on responsible reporting. We also welcome your direct financial support.
Assessment
SQL Injection Vulnerabilities have been found with:
PropertyIsLikefilter, when used with a String field and any relational database based Store, or with a PostGIS DataStore with encode functions enabled, or with any image mosaic with an index stored in a relational database.strEndsWithfunction, when used with a PostGIS DataStore with encode functions enabledstrStartsWithfunction, when used with a PostGIS DataStore with encode functions enabledFeatureIdfilter, when used with any database table having a String primary key column and when prepared statements are disabledjsonArrayContainsfunction, when used with a String or JSON field and with a PostGIS or Oracle DataStore (GeoServer 2.22.0+ only)DWithinfilter, when used with an Oracle DataStore
Mitigation
We recommend upgrading. The following list of mitigations is addressing some of the issues (e.g., the PropertyIsLike issue has no mitigation for tables with a string field):
- Disabling the PostGIS Datastore encode functions setting to mitigate
strEndsWith,strStartsWith(will cause severe slowdowns in parts of the WMTS multidimensional plugin functionality, if in use). - Enabling the PostGIS DataStore preparedStatements setting to mitigate the
FeatureIdvulnerability. - No mitigation is available for
PropertyIsLikefilter, you may choose to disable database DataStores until you are able to upgrade. - No mitigation is available for
DWithinwith Oracle DataStore, you may choose to disable Oracle DataStores until you are able to upgrade. - As a good practice to limit the attack surface, it’s important to give the database account used for connection pools the minimum required level of privileges (e.g., read-only unless WFS-T/importer/REST granule harvesting are used, access limited only to the schemas and tables needed for production usage)
Resolution
Issues:
- GEOT-7302 Escape user inputs in SQL queries
- GEOS-10842 Escape user inputs in SQL queries
-
GEOS-10839 Add JDBC Configuration parameter to disable SQL comments and pretty-printing
A related issue with the community jdbc-config module.
Patched releases:
- GeoServer 2.23.0 scheduled release
- GeoServer 2.22.2 stable release
- GeoServer 2.21.4 maintenance
- GeoServer 2.20.7
- GeoServer 2.19.7
- GeoServer 2.18.7
If you wish to volunteer to backport these fixes to other GeoServer series and make a release co-ordinate on the developers list. If you are not in a position to collaborate reach out to a commercial support provider to act on your behalf.
Thanks to Steve Ikeoka for responsibly reporting and fixing these issues. Thanks to Jody Garnett (GeoCat) for the stable and maintenance releases. Thanks to Andrea Aime (GeoSolutions) for back porting this fix to versions of GeoTools and GeoServer that are otherwise no longer receiving releases.
Tutorials
- How to style layers using GeoServer and QGIS
- How to Publish a GeoTIFF file in GeoServer
- A Comprehensive Guide to Publishing a Shapefile in GeoServer
- GeoServer About & Status - A Practical Guide
- GeoServer installation methods on Windows
- Introducing GeoSpatial Techno with a Video Tutorial
- GeoServer Presentations on FOSS4G 2019
Atom feed