Upgrade GeoServer for vulnerabilities #465
Conversation
https://nsfocusglobal.com/remote-code-execution-vulnerability-between-geoserver-and-geotools-cve-2024-36401-cve-2024-36404-notification/ GHSA-6jj6-gm7p-fcvv GHSA-w3pj-wh35-fq8w Scope of Impact Affected Version GeoServer < 2.23.6 2.24.0 <= GeoServer < 2.24.4 2.25.0 <= GeoServer < 2.25.2 GeoTools < 29.6 31.0 <= GeoTools < 31.2 30.0 <= GeoTools < 30.4 Unaffected version GeoServer >= 2.23.6 GeoServer >= 2.24.4 GeoServer >= 2.25.2 GeoTools >= 29.6 GeoTools >= 30.4 GeoTools >= 31.2 Mitigation Official upgrade 1. At present, a new version and security patch have been officially released to fix the above vulnerabilities. Please install updates for protection as soon as possible. Download link: https://github.com/geoserver/geoserver/tags https://github.com/geotools/geotools/tags 2. You can download the patch versions 2.25.1, 2.24.3, 2.24.2, 2.23.2, 2.21.5, 2.20.7, 2.20.4, 2.19.2, and 2.18.0 from https://geoserver.org to obtain the gt-app-schema, gt-complex, and gt-xsd-core jar files. Replace the corresponding files in WEB-INF/lib of the affected system for restoration. Other protective measures If relevant users cannot install updates temporarily, the following measures can be taken for temporary relief: Deleting the gt-complex-x.y.jar file in GeoServer (x.y is the version of GeoTools, such as gt-complex-31.1.jar in GeoServer 2.25.1) will remove vulnerable code from GeoServer, but may compromise some GeoServer functionality. When a gt-complex module is required by an extension in use, it may cause the GeoServer deployment to fail.
For testing migration to use these plugins as existing ones (wps-plugin, ...) will be deprecated. Theoretically these new plugins should be able to co-exist with the existing ones.
github-actions
bot
added
component/geoserver
|
@huard @tlogan2000 FYI the new GeoServer is already live on our production, without waiting for this PR to be merged, so we are protected against the vulnerability. All the OGC-API plugins have been enabled if ever you guys want to test it out. |
|
@fmigneault I do not see the CI pipelline being triggered for this PR. Is there a problem on your side? |
CHANGES.md
Outdated
| https://nsfocusglobal.com/remote-code-execution-vulnerability-between-geoserver-and-geotools-cve-2024-36401-cve-2024-36404-notification/, | ||
| https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv, | ||
| https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w |
There was a problem hiding this comment.
Please make them as list items, easier to read after when the text is wrapped in HTML.
CHANGES.md
Outdated
| ``` | ||
| $ docker exec -u 0 geoserver find / -iname '**gt-complex**' | ||
| /usr/local/tomcat/webapps/geoserver/WEB-INF/lib/gt-complex-31.2.jar | ||
| ``` | ||
|
|
||
| The previous version was GeoServer 2.22.2 and GeoTools 28.2. | ||
|
|
||
| ``` |
| export GEOSERVER_COMMUNITY_EXTENSIONS="geopkg-plugin,\ | ||
| ogcapi-coverages-plugin,ogcapi-dggs-plugin,ogcapi-features-plugin,ogcapi-images-plugin,\ | ||
| ogcapi-maps-plugin,ogcapi-styles-plugin,ogcapi-tiled-features-plugin,ogcapi-tiles-plugin,\ | ||
| stac-datastore-plugin" |
There was a problem hiding this comment.
Can they be placed line-by-line for easier readability?
There was a problem hiding this comment.
Sure I can do this for other plugins that we will enable in the future. For the ogcapi bunch, I consider them as a "group" so I'd rather keep them on the same lines if you don't mind.
There was a problem hiding this comment.
I think the "group" is more obvious with the "ogcapi-" prefix that would align on all lines when following each other.
There was a problem hiding this comment.
Knowing you do not like long line, that's why I broke it down to 2 lines of "ogcapi-". Do you really want me to put it on one line?
There was a problem hiding this comment.
Or I can keep 2 lines with a comment to group related plugins on the same line, else if they are unrelated, on different line for readability?
There was a problem hiding this comment.
Since the ogcapi- items are already spread out across 2 lines because there are too many entries, I would rather have everything on their own line.
Also, just noticed that https://github.com/kartoza/docker-geoserver/blob/master/build_data/community_plugins.txt is still referenced above the variable. This is not valid anymore because they switched to develop branch with a new plugin download strategy. The old master reference only contains ogcapi-plugin as a whole, which is misleading. Maybe https://build.geoserver.org/geoserver/ should be used as reference instead.
|
@tlvu |
|
@fmigneault FYI the STAC datastore that you requested is also live. |
Thanks. Good to know. Will try to find time to test it next week on a test instance. |
|
@fmigneault Can you approuve so we can merge this PR if no critical blocking issue since this PR is to address a vulnerability so it has to be deployed fast. I think on CRIM and UofT side, you guys would also want to deploy this earlier than later. For other non-critical, I think we can address in subsequent PR. |
Overview
GeoServer: upgrade to 2.25.2 to fix vulnerabilities
See:
This change will upgrade to GeoServer 2.25.2 and GeoTools 31.2 (the version of
gt-complex.jar).The previous version was GeoServer 2.22.2 and GeoTools 28.2.
Also enable
so we can slowly transition from the WPS plugin.
so we can test integration with our STAC component.
Test result: jenkins-console-output.txt
Changes
Non-breaking changes
birdhouse_daccs_configs_branch: master
birdhouse_skip_ci: false