[MAVEN:GHSA-99C3-QC2Q-P94M] GeoTools OGC Filter SQL Injection Vulnerabilities
Severity
Critical
Affected Packages
5
Fixed Packages
5
CVEs
1
Impact
GeoTools includes support for OGC Filter expression language parsing, encoding and execution against a range of datastore.
SQL Injection Vulnerabilities have been found when executing OGC Filters with JDBCDataStore implementations:
PropertyIsLikefilter- Requires PostGIS DataStore with "encode functions" enabled
- Or any JDBCDataStore (all relational databases) with String field (no mitigation)
strEndsWithfunction- Requires PostGIS DataStore with "encode functions" enabled
strStartsWithfunction- Requires PostGIS DataStore with "encode functions" enabled
FeatureIdfilter- Requires JDBCDataStore (all relational databases) with prepared statements disabled and table with String primary key (Oracle not affected, SQL Server and MySQL have no settings to enabled prepared statements, PostGIS does)
jsonArrayContainsfunction- Requires PostGIS and Oracle DataStore with String or JSON field
DWithinfilter- Happens only in Oracle DataStore, no mitigation
Patches
- GeoTools 28.2
- GeoTools 27.4
- GeoTools 26.7
- GeoTools 25.7
- GeoTools 24.7
Workarounds
Partial mitigation:
- In PostGIS DataStore disable "encode functions"
- In any PostGIS enable "prepared statements" (only database with such settings)
```java
Map<String, Object> params = new HashMap<>();
params.put("dbtype", "postgis");
params.put("host", "localhost");
params.put("port", 5432);
params.put("schema", "public");
params.put("database", "database");
params.put("user", "postgres");
params.put("passwd", "postgres");
params.put("preparedStatements", true ); // mitigation
params.put("encode functions", false ); // mitigation
DataStore dataStore = DataStoreFinder.getDataStore(params);
```
References
- OGC Filter SQL Injection Vulnerabilities (GeoServer)
| Package | Affected Version |
|---|---|
 pkg:maven/org.geotools/gt-jdbc
|
< 24.7 |
|
pkg:maven/org.geotools/gt-jdbc
|
>= 25.0, < 25.7 |
|
pkg:maven/org.geotools/gt-jdbc
|
>= 26.0, < 26.7 |
|
pkg:maven/org.geotools/gt-jdbc
|
>= 27.0, < 27.4 |
|
pkg:maven/org.geotools/gt-jdbc
|
>= 28.0, < 28.2 |
| Package | Fixed Version |
|---|---|
|
pkg:maven/org.geotools/gt-jdbc
|
= 24.7 |
|
pkg:maven/org.geotools/gt-jdbc
|
= 25.7 |
|
pkg:maven/org.geotools/gt-jdbc
|
= 26.7 |
|
pkg:maven/org.geotools/gt-jdbc
|
= 27.4 |
|
pkg:maven/org.geotools/gt-jdbc
|
= 28.2 |
- ID
- MAVEN:GHSA-99C3-QC2Q-P94M
- Severity
- critical
- URL
- https://github.com/advisories/GHSA-99c3-qc2q-p94m
- Published
-
2023-02-22T19:16:06
(19 months ago) - Modified
-
2023-02-22T19:16:08
(19 months ago) - Rights
- Maven Security Team
| Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
|---|---|---|---|---|---|---|---|
| Affected | pkg:maven/org.geotools/gt-jdbc | org.geotools |
gt-jdbc
|
< 24.7 | |||
| Fixed | pkg:maven/org.geotools/gt-jdbc | org.geotools |
gt-jdbc
|
= 24.7 | |||
| Affected | pkg:maven/org.geotools/gt-jdbc | org.geotools |
gt-jdbc
|
>= 25.0 < 25.7 | |||
| Fixed | pkg:maven/org.geotools/gt-jdbc | org.geotools |
gt-jdbc
|
= 25.7 | |||
| Affected | pkg:maven/org.geotools/gt-jdbc | org.geotools |
gt-jdbc
|
>= 26.0 < 26.7 | |||
| Fixed | pkg:maven/org.geotools/gt-jdbc | org.geotools |
gt-jdbc
|
= 26.7 | |||
| Affected | pkg:maven/org.geotools/gt-jdbc | org.geotools |
gt-jdbc
|
>= 27.0 < 27.4 | |||
| Fixed | pkg:maven/org.geotools/gt-jdbc | org.geotools |
gt-jdbc
|
= 27.4 | |||
| Affected | pkg:maven/org.geotools/gt-jdbc | org.geotools |
gt-jdbc
|
>= 28.0 < 28.2 | |||
| Fixed | pkg:maven/org.geotools/gt-jdbc | org.geotools |
gt-jdbc
|
= 28.2 |
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
|---|---|---|---|---|---|---|---|---|---|---|---|
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |