Skip to content

Commit

Permalink
geoserver: upgrade to 2.25.2 for vulnerabilities
Browse files Browse the repository at this point in the history 
https://nsfocusglobal.com/remote-code-execution-vulnerability-between-geoserver-and-geotools-cve-2024-36401-cve-2024-36404-notification/

GHSA-6jj6-gm7p-fcvv

GHSA-w3pj-wh35-fq8w

Scope of Impact

Affected Version

    GeoServer < 2.23.6
    2.24.0 <= GeoServer < 2.24.4
    2.25.0 <= GeoServer < 2.25.2
    GeoTools < 29.6
    31.0 <= GeoTools < 31.2
    30.0 <= GeoTools < 30.4

Unaffected version

    GeoServer >= 2.23.6
    GeoServer >= 2.24.4
    GeoServer >= 2.25.2
    GeoTools >= 29.6
    GeoTools >= 30.4
    GeoTools >= 31.2

Mitigation

Official upgrade

1. At present, a new version and security patch have been officially released to fix the above vulnerabilities. Please install updates for protection as soon as possible.

Download link: https://github.com/geoserver/geoserver/tags https://github.com/geotools/geotools/tags

2. You can download the patch versions 2.25.1, 2.24.3, 2.24.2, 2.23.2, 2.21.5, 2.20.7, 2.20.4, 2.19.2, and 2.18.0 from https://geoserver.org to obtain the gt-app-schema, gt-complex, and gt-xsd-core jar files. Replace the corresponding files in WEB-INF/lib of the affected system for restoration.

Other protective measures

If relevant users cannot install updates temporarily, the following measures can be taken for temporary relief: Deleting the gt-complex-x.y.jar file in GeoServer (x.y is the version of GeoTools, such as gt-complex-31.1.jar in GeoServer 2.25.1) will remove vulnerable code from GeoServer, but may compromise some GeoServer functionality. When a gt-complex module is required by an extension in use, it may cause the GeoServer deployment to fail.
  • Loading branch information
@tlvu
tlvu committed Jul 9, 2024
1 parent a5e0340 commit 14bda30
Showing 1 changed file with 3 additions and 3 deletions.
6 changes: 3 additions & 3 deletions birdhouse/config/geoserver/default.env
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,9 +8,9 @@
# "moving" tags, meaning not reproducible behavior !
# See https://github.com/kartoza/docker-geoserver/issues/232#issuecomment-808754831
# The version is used for representation in CanarieAPI, while the full tag is used to reference the image.
export GEOSERVER_DOCKER=pavics/geoserver
export GEOSERVER_VERSION=2.22.2
export GEOSERVER_TAGGED=2.22.2-kartoza-build20230226-r7-allow-change-context-root-and-fix-missing-stable-plugins-and-avoid-chown-datadir
export GEOSERVER_DOCKER="pavics/geoserver"
export GEOSERVER_VERSION="2.25.2"
export GEOSERVER_TAGGED="2.25.2--v2024.06.25-kartoza"
export GEOSERVER_IMAGE="${GEOSERVER_DOCKER}:${GEOSERVER_TAGGED}"

export GEOSERVER_ADMIN_USER="admin"
Expand Down

3 comments on commit 14bda30

@fmigneault
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@tlvu
Favor to ask.

Whenever a new geoserver version gets updated and pushed to docker hub, can you also update the latest tag?
The reason why I would like this is that I can monitor security issues in Snyk for a specific version and the latest one simultaneously, but if I do not re-import the new version explicitly in Snyk, I might remain on the previous tag version, and miss out on recent vulnerabilities.

I pushed latest to match with 2.25.2--v2024.06.25-kartoza. It was previously referencing an image 8 years old!

@tlvu
Copy link
Collaborator Author

@tlvu tlvu commented on 14bda30 Sep 20, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will try to remember that. Since we do not update geoserver that often, apologies in advance if sometime I forgot.

@fmigneault
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No problem. Thanks

Please sign in to comment.