OGC Filter Injection Vulnerability Statement
A vulnerability has located in the GeoTools Library that allows SQL Injection using OGC Filter and Function expressions.
- CVE-2023-25157 OGC Filter SQL Injection Vulnerabilities (GeoServer)
- CVE-2023-25158 OGC Filter SQL Injection Vulnerabilities (GeoTools)
If you wish to report a security vulnerability, see instructions on responsible reporting. We also welcome your direct financial support.
Assessment
SQL Injection Vulnerabilities have been found with:
PropertyIsLike
filter, when used with a String field and any relational database based Store, or with a PostGIS DataStore with encode functions enabled, or with any image mosaic with an index stored in a relational database.strEndsWith
function, when used with a PostGIS DataStore with encode functions enabledstrStartsWith
function, when used with a PostGIS DataStore with encode functions enabledFeatureId
filter, when used with any database table having a String primary key column and when prepared statements are disabledjsonArrayContains
function, when used with a String or JSON field and with a PostGIS or Oracle DataStore (GeoServer 2.22.0+ only)DWithin
filter, when used with an Oracle DataStore
Mitigation
We recommend upgrading. The following list of mitigations is addressing some of the issues (e.g., the PropertyIsLike
issue has no mitigation for tables with a string field):
- Disabling the PostGIS Datastore encode functions setting to mitigate
strEndsWith
,strStartsWith
(will cause severe slowdowns in parts of the WMTS multidimensional plugin functionality, if in use). - Enabling the PostGIS DataStore preparedStatements setting to mitigate the
FeatureId
vulnerability. - No mitigation is available for
PropertyIsLike
filter, you may choose to disable database DataStores until you are able to upgrade. - No mitigation is available for
DWithin
with Oracle DataStore, you may choose to disable Oracle DataStores until you are able to upgrade. - As a good practice to limit the attack surface, it’s important to give the database account used for connection pools the minimum required level of privileges (e.g., read-only unless WFS-T/importer/REST granule harvesting are used, access limited only to the schemas and tables needed for production usage)
Resolution
Issues:
- GEOT-7302 Escape user inputs in SQL queries
- GEOS-10842 Escape user inputs in SQL queries
-
GEOS-10839 Add JDBC Configuration parameter to disable SQL comments and pretty-printing
A related issue with the community jdbc-config module.
Patched releases:
- GeoServer 2.23.0 scheduled release
- GeoServer 2.22.2 stable release
- GeoServer 2.21.4 maintenance
- GeoServer 2.20.7
- GeoServer 2.19.7
- GeoServer 2.18.7
If you wish to volunteer to backport these fixes to other GeoServer series and make a release co-ordinate on the developers list. If you are not in a position to collaborate reach out to a commercial support provider to act on your behalf.
Thanks to Steve Ikeoka for responsibly reporting and fixing these issues. Thanks to Jody Garnett (GeoCat) for the stable and maintenance releases. Thanks to Andrea Aime (GeoSolutions) for back porting this fix to versions of GeoTools and GeoServer that are otherwise no longer receiving releases.
Vulnerability
- GeoServer 2.26.1 Release
- GeoServer 2.25.4 Release
- GeoServer 2.26.0 Release
- CVE-2024-36401 Remote Code Execution (RCE) vulnerability in evaluating property name expressions
- GeoServer 2.25.2 Release
- GeoServer 2.24.4 Release
- GeoServer 2.23.6 Release
- GeoServer 2.25.1 Release
- GeoServer 2.25.0 Release
- GeoServer 2.23.5 Release