Information about latest alleged GeoServer security vulnerabilities

Dear Reader,

In recent days, news of a new GeoServer vulnerability, CVE-2023-35042, has been released and has drawn some attention on Twitter and on some security related websites. According to NIST, the vulnerability is “undergoing analysis”. At the same time, the report has been opened without any report to the GeoServer project.

The source of the report appears to be this blog post, where a security researcher reports attack attempts on a GeoServer honeypot server he set up, with an example request using the WPS protocol to perform a code injection by means of an embedded Jiffle script. In particular, the attack tries to leverage improper escaping of comments in the script. This issue, along with improper escaping of Jiffle variable names, was fixed this 1 year ago as part of the batch of patches resolving CVE-2022-24846. You can read the announcement for all details about this work, including mitigations and GeoServer releases shipping with the fix.

We have tested the attack against a recent GeoServer version, and found the comment does not even make it into the executable script, as such, the vulnerability has been neutralized by the existing counter-measures. In short, based on the information we have now,  CVE-2023-35042 seems a misguided reissue of last year CVE-2022-24846.

As reiterated multiple times in the past, we strongly recommend keeping your GeoServer installations up to date, and following the GeoServer blog for security related announcements. If anyone finds a new, working vector of attack against GeoServer we strongly recommend following the responsible disclosure guidelines, which are worth repeating here:

– Keep exploit details out of mailing list and issue tracker (send details to geoserver-security@lists.osgeo.org)

– Be prepared to work with Project Steering Committee (PSC) members on a solution

– Keep in mind PSC members are volunteers and an extensive fix may require fundraising / resources

Please send a mail directly to geoserver-security@lists.osgeo.org (moderated list with no possibility to subscribe, please just send directly to the address, the mail will be evaluated and eventually posted) and provide information about the security issue you might have found there.