giohappy
commented
1 month ago @nicokant the Docker images are already updated with the patched versions. Do you have any contrary evidence?
Closed nicokant closed 1 month ago
giohappy
commented
1 month ago @nicokant the Docker images are already updated with the patched versions. Do you have any contrary evidence?
nicokant
commented
1 month ago @giohappy on docker hub the latest tags for 2.24.x is 21 days old and is version 2.24.3, while in the CVE the patched version is 2.24.4. There is no 2.24.4 version on docker hub for the geonode/geoserver image
giohappy
commented
1 month ago Those versions have been manually patched and republished.
nicokant
commented
1 month ago So pulling the latest tag is enough to apply the patches?
giohappy
commented
1 month ago yes @nicokant
mirandadam
commented
1 month ago Hi @giohappy. The dockerfile uses https://artifacts.geonode.org/geoserver/2.24.3/geoserver.war which, according to the metadata displayed on https://artifacts.geonode.org is <LastModified>2024-06-11T08:53:54.000Z</LastModified>.
The pull request that fixes the bug is https://github.com/geotools/geotools/pull/4797 and is from June 4th, which is a week before the update in geonode.war.
If I rebuild the geoserver image from the dockerfile in this repository is it going to be patched?
If it is, then maybe this issue could be closed.
ridoo
commented
1 month ago tl;dr
Make sure, you have the -v2 in the geonode/geoserver version for 2.23.3 and 2.24.3.
Those versions have been manually patched and republished.
@giohappy what do you mean by that? The last run of build and push GH action was three weeks ago. The latest image tag is 23 days old. Checking the latest geonode/geoserver image:
docker run --rm geonode/geoserver:latest ls /usr/local/tomcat/webapps/geoserver/WEB-INF/lib/ | grep gt-complex
gt-complex-29.3.jarEDIT: Running on 2.23.3-v2 the jar is not available (Docker term latest does not mean latest release, but latest build^^):
docker run --rm geonode/geoserver:2.23.3-v2 ls /usr/local/tomcat/webapps/geoserver/WEB-INF/lib/ | grep gt-complexAnother EDIT:
Seems that for 2.23.3 and 2.24.4 the fix had been applied for the -v2 versions. The -v1 still include the gt-complex jar.
ridoo
commented
1 month ago @giohappy can you tell, why the latest Docker builds still include the gt-complex jars?
etj
commented
1 month ago @ridoo that version is patched, look at its date.
Recent versions have been patched, i.e. the vulnerable jars have been replaced with the patched jars. Older version for which the patch was not available, have been "remediated", that is the jars have been removed.
You can tell the patched jars by looking at their timestamp, which is 11 June
etj
commented
1 month ago These are the non-vulnerable docker images, where "patched" and "remed" follow the definition in the above comment:
The rationale was:
geoserver.war files on https://artifacts.geonode.org have been remediated, so that any new build was secureAbout the docker images:
etj
commented
1 month ago @ridoo please don't use or recommend the 2.24.3-v2 image, it was made for testing and is going to be removed. In fact it's not referenced in any branch or sample configuration file.
EHJ-52n
commented
1 month ago Recent versions have been patched, i.e. the vulnerable jars have been replaced with the patched jars. Older version for which the patch was not available, have been "remediated", that is the jars have been removed.
You can tell the patched jars by looking at their timestamp, which is 11 June
This is totally confusing and misleading, when following the official documentation, that says, gt-complex-30.3 is unsafe, but 30.4 is safe (see https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w).
etj
commented
1 month ago @EHJ-52n The remediation removes some GeoServer functionalities (usually not used in GeoNode), so providing the patched version of the jars prevents issues in that direction. Feel free to remove those jars if you don't feel that your instance is secure. We probed all the images with a POC attack and they are safe. Creating an image with a different version of GeoServer requires some effort in testing that all the functionalities are properly working, so in the next future we will provide an image with GeoServer 2.25 If you like, feel free to provide a full covering test using a different geotools release in geoserver 2.24.3
EHJ-52n
commented
1 month ago Are you able to share the POC attack somewhere, hence everyone can verify that theire GeoServer instances are patched?
giohappy
commented
1 month ago Are you able to share the POC attack somewhere, hence everyone can verify that theire GeoServer instances are patched?
@EHJ-52n for security reasons the POC attack won't be shared. We can grant that the images listed above are safe.
Sooner then later we will build Geoserver 2.25.1 for GeoNode and test it on master and 4.3.x. Hopefully we can release 4.3.1 targeting the new Geoserver version.
EHJ-52n
commented
1 month ago @giohappy I expected this and agree not to share, but there was a little bit of hope. Thanks for sharing all this with us!
Thank you for your work!
ridoo
commented
1 month ago @etj Thanks for your input and clarifications. @nicokant if you agree, this issue can be closed. If you have other concerns feel free to comment.
mirandadam
commented
1 month ago @etj , thanks for the clarifications. I started investigating on my own, mainly focused on whether building from the dockerfile in this repository would generate a patched image.
TL;DR; - The image from https://artifacts.geonode.org/geoserver/2.24.3/geoserver.war is indeed patched. Evidence and caveat below.
Long-winded:
Geoserver's notes on version 2.24.3 provide a patch for that version. I then proceeded to investigate whether that is indeed in the latest version of geonode.org's image for 2.24.3:
mkdir compare
cd compare
wget https://sourceforge.net/projects/geoserver/files/GeoServer/2.24.3/geoserver-2.24.3-patches.zip
wget https://artifacts.geonode.org/geoserver/2.24.3/geoserver.war
wget -O geoserver-2.24.3-war.zip https://sourceforge.net/projects/geoserver/files/GeoServ
er/2.24.3/geoserver-2.24.3-war.zip/downloadAfter downloading, sha256sum * gives:
8e644004a5b038d1ca288857c19147c9f7194fd975fb238614d7da816aecfffd geoserver-2.24.3-patches.zip c7edc2bb40cf5dfe7e5f41d29dba3fe5b67cdf86e418ad1e202e48f1cd56bc00 geoserver-2.24.3-war.zip 095793102ad6c520c1cf0c2dc2a28e728eda499954642dd4eaaaafa175c234a2 geoserver.war
Extracting the files:
# downloaded from geonode.org:
unzip geoserver.war -d geoserver_from_geonode.org/
# geoserver official patches:
unzip geoserver-2.24.3-patches.zip -d geoserver-2.24.3-patches/
# geoserver official 2.24.3 war:
unzip geoserver-2.24.3-war.zip -d geoserver-2.24.3-war/
unzip geoserver-2.24.3-war/geoserver.war -d geoserver-2.24.3-war/geoserver/Comparing versions of all the files in the patch:
$ find . -name 'gt-complex*.jar' -exec sha256sum '{}' ';'
0514742ceee76ceb8d92ce1c47052dda3c7d742b0ededf6d197ac9caf24151e4 ./geoserver-2.24.3-war/geoserver/WEB-INF/lib/gt-complex-30.3.jar
851267a0ee830e283b2b97ca2abb8a755245443445bf2545f807ac9ce56ce1ec ./geoserver_from_geonode.org/WEB-INF/lib/gt-complex-30.3.jar
851267a0ee830e283b2b97ca2abb8a755245443445bf2545f807ac9ce56ce1ec ./geoserver-2.24.3-patches/gt-complex-30.3.jar
$ find . -name 'gt-app-schema*.jar' -exec sha256sum '{}' ';'
6445ba95817f5702d6d4691dabdc60b41c42af1c01f5b25f2617132ff015ea67 ./geoserver-2.24.3-war/geoserver/WEB-INF/lib/gt-app-schema-resolver-30.3.jar
6445ba95817f5702d6d4691dabdc60b41c42af1c01f5b25f2617132ff015ea67 ./geoserver_from_geonode.org/WEB-INF/lib/gt-app-schema-resolver-30.3.jar
a13364d99d2aa67226aa45d40394fd8b22cdf186f677e1af199615c32216dd77 ./geoserver-2.24.3-patches/gt-app-schema-30.3.jar
$ find . -name 'gt-xsd-core*.jar' -exec sha256sum '{}' ';'
01bbbcffeb353c884ff67add1f0ffd2f6433851aca0b75e47656dc68dfb246a0 ./geoserver-2.24.3-war/geoserver/WEB-INF/lib/gt-xsd-core-30.3.jar
0484668e0038000b44d5f1f3c362d6b4e20a457344983a2cc8089c7c8a99f7f6 ./geoserver_from_geonode.org/WEB-INF/lib/gt-xsd-core-30.3.jar
0484668e0038000b44d5f1f3c362d6b4e20a457344983a2cc8089c7c8a99f7f6 ./geoserver-2.24.3-patches/gt-xsd-core-30.3.jarConclusion: gt-complex-30.3.jar and gt-xsd-core-30.3.jar have been patched, however gt-app-schema-30.3.jar from the patch is not in the image (there is a similarly named gt-app-schema-resolver-30.3.jar, though).
I have no idea whether gt-app-schema-30.3.jar is necessary or not. It being in the patch suggests it is. It not being in the original geoserver WAR and having no reference to it in the other packages in the patch, suggests that, unless it was already there for a different reason, it isn't necessary. Hence the caveat.
etj
commented
1 month ago @mirandadam the gt-schema-resolver is needed for some internal features to work. The gt-schema is only required if you installed the app schema plugin; The default war built for Geonode does not include such plugin. Such jar has been provided in the geoserver patch since it fixes the vulnerability in that specific plugin.
nicokant
commented
1 month ago I agree, thanks everyone for the clarifications and the investigations!
ridoo
commented
1 month ago @etj in your patch-matrix you have 2.24.2-v1 and 2.24.2-latest (both having digest 43e044f314c6b43f27fce38991f18835b806d72a2789d2dd635efb4ec246bfbc) but
docker run --rm geonode/geoserver:2.24.2-latest ls /usr/local/tomcat/webapps/geoserver/WEB-INF/lib/ | grep gt-complexreport that gt-complex-30.2.jar is still in use. To my knowledge the versions 30.0 <= GeoTools < 30.4 are affected, so I would be happy, if you could double check these geonode/geoserver imagas are really fixed.
giohappy
commented
1 month ago @ridoo as mentioned by @etj those jars have been patched. They have the same version but their content is not the same as the original gt-complex-30.2.jar
ridoo
commented
1 month ago Ok, good. Thanks @giohappy .. people getting nervous because of (human and automatic) vulnerability scanners alerts.
giohappy
commented
1 month ago We're on the same boat @ridoo :) and I was also concerned with the solution of patching jars with the same version numbers, but this was required to avoid breaking things in previous GS versions.
jodygarnett
commented
1 month ago Are you able to share the POC attack somewhere, hence everyone can verify that theire GeoServer instances are patched?
@EHJ-52n for security reasons the POC attack won't be shared. We can grant that the images listed above are safe.
Sooner then later we will build Geoserver 2.25.1 for GeoNode and test it on master and 4.3.x. Hopefully we can release 4.3.1 targeting the new Geoserver version.
Feedback requested
The attack is widely available online within 1 day of disclosure, and it automated tools within 2 days of disclosure. Based on this what is your feedback on including POC in CVE report?
The main reason I see for including POC is that then folks are redirected to the origional report (which has instructions for mitigation). Presently folks are finding the POC on pages that try to summarize mitigation approach resulting in a misleading message: it sounds like some prior releases are patched, but all that exists is some hotfix jars that can be used to patch your system after the fact...
giohappy
commented
1 month ago hi @jodygarnett we can copy here a link to the CVE report, but it's up to the Geoserver team to decide whether to publish a POC attack.
jodygarnett
commented
1 month ago Understood, it does not seem common, I am just annoyed with the messaging.
At least we have more control now.
giohappy
commented
1 month ago FYI geonode/geoserver:2.24.4-v1 has been published.
A critical geoserver vulnerability has been reported and a patched version is available for versions: 2.24.4, 2.25.2, 2.23.6. On docker hub the latest versions were built long ago, would it be possible to update them with the patched version?