DIVD-2023-00024 - SQL injection in GeoServer - CVE-2023-25157
| Our reference | DIVD-2023-00024 |
| Case lead | Max van der Horst |
| Author | Jeroen van de Weerd |
| Researcher(s) | |
| CVE(s) | |
| Product | GeoServer |
| Versions |
|
| Recommendation | Install patches. |
| Status | Closed |
| Last modified | 26 Sep 2023 11:50 CEST |
Summary
GeoServer located a vulnerability in the GeoTools Library that allows SQL Injection using OGC Filter and Function expressions. A POC is available.
What you can do
GeoServer advises to install the patch by upgrading to version 2.23.0. If this is not possible, there are a few mitigations available which include disabling the PostGIS Datastore encode functions to mitigate the vulnerabilities in the strStartsWith and strEndsWith parameters and enabling the PostGIS DataStore preparedStatements functionality to mitigate the FeatureId vulnerability. Note that these mitigations are known to cause significant slowdowns.
What we are doing
DIVD is currently working to identify vulnerable parties and notifying these. We do this by finding GeoServer instances and extracting the version name. Vulnerable parties will receive a notification with remediation steps.
Timeline
| Date | Description |
|---|---|
| 20 Feb 2023 | GeoServer publishes advisory. |
| 06 Jun 2023 | POC becomes available. |
| 07 Jun 2023 | DIVD starts researching fingerprint. |
| 07 Jun 2023 | First version of this casefile. |
| 04 Jul 2023 | DIVD starts notification round. |
| 26 Sep 2023 | Case closed. |