GHSA-99C3-QC2Q-P94M

Vulnerability from github – Published: 2023-02-22 19:16 – Updated: 2023-02-22 19:16
VLAI?
Summary
GeoTools OGC Filter SQL Injection Vulnerabilities
Details

Impact

GeoTools includes support for OGC Filter expression language parsing, encoding and execution against a range of datastore.

SQL Injection Vulnerabilities have been found when executing OGC Filters with JDBCDataStore implementations:

  1. PropertyIsLike filter
  2. Requires PostGIS DataStore with "encode functions" enabled
  3. Or any JDBCDataStore (all relational databases) with String field (no mitigation)
  4. strEndsWith function
  5. Requires PostGIS DataStore with "encode functions" enabled
  6. strStartsWith function
  7. Requires PostGIS DataStore with "encode functions" enabled
  8. FeatureId filter
  9. Requires JDBCDataStore (all relational databases) with prepared statements disabled and table with String primary key (Oracle not affected, SQL Server and MySQL have no settings to enabled prepared statements, PostGIS does)
  10. jsonArrayContains function
  11. Requires PostGIS and Oracle DataStore with String or JSON field
  12. DWithin filter
  13. Happens only in Oracle DataStore, no mitigation

Patches

  • GeoTools 28.2
  • GeoTools 27.4
  • GeoTools 26.7
  • GeoTools 25.7
  • GeoTools 24.7

Workarounds

Partial mitigation:

  • In PostGIS DataStore disable "encode functions"
  • In any PostGIS enable "prepared statements" (only database with such settings)
        Map<String, Object> params = new HashMap<>();
        params.put("dbtype", "postgis");
        params.put("host", "localhost");
        params.put("port", 5432);
        params.put("schema", "public");
        params.put("database", "database");
        params.put("user", "postgres");
        params.put("passwd", "postgres");
        params.put("preparedStatements", true ); // mitigation
        params.put("encode functions", false ); // mitigation

        DataStore dataStore = DataStoreFinder.getDataStore(params);

References

Severity ?
9.8 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.geotools:gt-jdbc"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "28.0"
            },
            {
              "fixed": "28.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.geotools:gt-jdbc"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "27.0"
            },
            {
              "fixed": "27.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.geotools:gt-jdbc"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "26.0"
            },
            {
              "fixed": "26.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.geotools:gt-jdbc"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "25.0"
            },
            {
              "fixed": "25.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.geotools:gt-jdbc"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "24.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-25158"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-89"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-02-22T19:16:06Z",
    "nvd_published_at": "2023-02-21T21:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\n\nGeoTools includes support for OGC Filter expression language parsing, encoding and execution against a range of datastore.\n\nSQL Injection Vulnerabilities have been found when executing OGC Filters with JDBCDataStore implementations:\n\n1. ``PropertyIsLike`` filter\n   * Requires PostGIS DataStore with \"encode functions\" enabled\n   * Or any JDBCDataStore (all relational databases) with String field (no mitigation)\n3. ``strEndsWith`` function\n   * Requires PostGIS DataStore with \"encode functions\" enabled\n5. ``strStartsWith`` function\n   * Requires PostGIS DataStore with \"encode functions\" enabled\n6. ``FeatureId`` filter\n   * Requires JDBCDataStore (all relational databases) with prepared statements disabled and table with String primary key (Oracle not affected, SQL Server and MySQL have no settings to enabled prepared statements, PostGIS does)\n7. ``jsonArrayContains`` function\n   * Requires PostGIS and Oracle DataStore with String or JSON field\n8. ``DWithin`` filter\n   * Happens only in Oracle DataStore, no mitigation\n\n### Patches\n\n* GeoTools 28.2\n* GeoTools 27.4\n* GeoTools 26.7\n* GeoTools 25.7\n* GeoTools 24.7\n\n### Workarounds\n\nPartial mitigation:\n\n* In PostGIS DataStore disable \"encode functions\"\n* In any PostGIS enable \"prepared statements\" (only database with such settings)\n\n```java\n        Map\u003cString, Object\u003e params = new HashMap\u003c\u003e();\n        params.put(\"dbtype\", \"postgis\");\n        params.put(\"host\", \"localhost\");\n        params.put(\"port\", 5432);\n        params.put(\"schema\", \"public\");\n        params.put(\"database\", \"database\");\n        params.put(\"user\", \"postgres\");\n        params.put(\"passwd\", \"postgres\");\n        params.put(\"preparedStatements\", true ); // mitigation\n        params.put(\"encode functions\", false ); // mitigation\n\n        DataStore dataStore = DataStoreFinder.getDataStore(params);\n```\n\n### References\n\n* [OGC Filter SQL Injection Vulnerabilities](https://github.com/geoserver/geoserver/security/advisories/GHSA-7g5f-wrx8-5ccf) (GeoServer)\n",
  "id": "GHSA-99c3-qc2q-p94m",
  "modified": "2023-02-22T19:16:06Z",
  "published": "2023-02-22T19:16:06Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/geotools/geotools/security/advisories/GHSA-99c3-qc2q-p94m"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25158"
    },
    {
      "type": "WEB",
      "url": "https://github.com/geotools/geotools/commit/64fb4c47f43ca818c2fe96a94651bff1b3b3ed2b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/geotools/geotools"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "GeoTools OGC Filter SQL Injection Vulnerabilities"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.