ghsa-99c3-qc2q-p94m
Vulnerability from github
Published
2023-02-22 19:16
Modified
2023-02-22 19:16
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
GeoTools OGC Filter SQL Injection Vulnerabilities
Details

Impact

GeoTools includes support for OGC Filter expression language parsing, encoding and execution against a range of datastore.

SQL Injection Vulnerabilities have been found when executing OGC Filters with JDBCDataStore implementations:

  1. PropertyIsLike filter
  2. Requires PostGIS DataStore with "encode functions" enabled
  3. Or any JDBCDataStore (all relational databases) with String field (no mitigation)
  4. strEndsWith function
  5. Requires PostGIS DataStore with "encode functions" enabled
  6. strStartsWith function
  7. Requires PostGIS DataStore with "encode functions" enabled
  8. FeatureId filter
  9. Requires JDBCDataStore (all relational databases) with prepared statements disabled and table with String primary key (Oracle not affected, SQL Server and MySQL have no settings to enabled prepared statements, PostGIS does)
  10. jsonArrayContains function
  11. Requires PostGIS and Oracle DataStore with String or JSON field
  12. DWithin filter
  13. Happens only in Oracle DataStore, no mitigation

Patches

  • GeoTools 28.2
  • GeoTools 27.4
  • GeoTools 26.7
  • GeoTools 25.7
  • GeoTools 24.7

Workarounds

Partial mitigation:

  • In PostGIS DataStore disable "encode functions"
  • In any PostGIS enable "prepared statements" (only database with such settings)

```java Map params = new HashMap<>(); params.put("dbtype", "postgis"); params.put("host", "localhost"); params.put("port", 5432); params.put("schema", "public"); params.put("database", "database"); params.put("user", "postgres"); params.put("passwd", "postgres"); params.put("preparedStatements", true ); // mitigation params.put("encode functions", false ); // mitigation

    DataStore dataStore = DataStoreFinder.getDataStore(params);

```

References

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.geotools:gt-jdbc"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "28.0"
            },
            {
              "fixed": "28.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.geotools:gt-jdbc"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "27.0"
            },
            {
              "fixed": "27.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.geotools:gt-jdbc"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "26.0"
            },
            {
              "fixed": "26.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.geotools:gt-jdbc"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "25.0"
            },
            {
              "fixed": "25.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.geotools:gt-jdbc"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "24.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-25158"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-89"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-02-22T19:16:06Z",
    "nvd_published_at": "2023-02-21T21:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\n\nGeoTools includes support for OGC Filter expression language parsing, encoding and execution against a range of datastore.\n\nSQL Injection Vulnerabilities have been found when executing OGC Filters with JDBCDataStore implementations:\n\n1. ``PropertyIsLike`` filter\n   * Requires PostGIS DataStore with \"encode functions\" enabled\n   * Or any JDBCDataStore (all relational databases) with String field (no mitigation)\n3. ``strEndsWith`` function\n   * Requires PostGIS DataStore with \"encode functions\" enabled\n5. ``strStartsWith`` function\n   * Requires PostGIS DataStore with \"encode functions\" enabled\n6. ``FeatureId`` filter\n   * Requires JDBCDataStore (all relational databases) with prepared statements disabled and table with String primary key (Oracle not affected, SQL Server and MySQL have no settings to enabled prepared statements, PostGIS does)\n7. ``jsonArrayContains`` function\n   * Requires PostGIS and Oracle DataStore with String or JSON field\n8. ``DWithin`` filter\n   * Happens only in Oracle DataStore, no mitigation\n\n### Patches\n\n* GeoTools 28.2\n* GeoTools 27.4\n* GeoTools 26.7\n* GeoTools 25.7\n* GeoTools 24.7\n\n### Workarounds\n\nPartial mitigation:\n\n* In PostGIS DataStore disable \"encode functions\"\n* In any PostGIS enable \"prepared statements\" (only database with such settings)\n\n```java\n        Map\u003cString, Object\u003e params = new HashMap\u003c\u003e();\n        params.put(\"dbtype\", \"postgis\");\n        params.put(\"host\", \"localhost\");\n        params.put(\"port\", 5432);\n        params.put(\"schema\", \"public\");\n        params.put(\"database\", \"database\");\n        params.put(\"user\", \"postgres\");\n        params.put(\"passwd\", \"postgres\");\n        params.put(\"preparedStatements\", true ); // mitigation\n        params.put(\"encode functions\", false ); // mitigation\n\n        DataStore dataStore = DataStoreFinder.getDataStore(params);\n```\n\n### References\n\n* [OGC Filter SQL Injection Vulnerabilities](https://github.com/geoserver/geoserver/security/advisories/GHSA-7g5f-wrx8-5ccf) (GeoServer)\n",
  "id": "GHSA-99c3-qc2q-p94m",
  "modified": "2023-02-22T19:16:06Z",
  "published": "2023-02-22T19:16:06Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/geotools/geotools/security/advisories/GHSA-99c3-qc2q-p94m"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25158"
    },
    {
      "type": "WEB",
      "url": "https://github.com/geotools/geotools/commit/64fb4c47f43ca818c2fe96a94651bff1b3b3ed2b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/geotools/geotools"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "GeoTools OGC Filter SQL Injection Vulnerabilities"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.