Geoserver build for patch CVE-2024-36401

[nicokant]

A critical geoserver vulnerability has been reported and a patched version is available for versions: 2.24.4, 2.25.2, 2.23.6. On docker hub the latest versions were built long ago, would it be possible to update them with the patched version?

[giohappy]

@nicokant the Docker images are already updated with the patched versions. Do you have any contrary evidence?

[nicokant]

@giohappy on docker hub the latest tags for 2.24.x is 21 days old and is version 2.24.3, while in the CVE the patched version is 2.24.4. There is no 2.24.4 version on docker hub for the geonode/geoserver image

[giohappy]

Those versions have been manually patched and republished.

[nicokant]

So pulling the latest tag is enough to apply the patches?

[giohappy]

yes @nicokant

[mirandadam]

Hi @giohappy. The dockerfile uses https://artifacts.geonode.org/geoserver/2.24.3/geoserver.war which, according to the metadata displayed on https://artifacts.geonode.org is <LastModified>2024-06-11T08:53:54.000Z</LastModified>.

The pull request that fixes the bug is https://github.com/geotools/geotools/pull/4797 and is from June 4th, which is a week before the update in geonode.war.

If I rebuild the geoserver image from the dockerfile in this repository is it going to be patched?

If it is, then maybe this issue could be closed.

[ridoo]

tl;dr

Make sure, you have the -v2 in the geonode/geoserver version for 2.23.3 and 2.24.3.

---

Those versions have been manually patched and republished.

@giohappy what do you mean by that? The last run of build and push GH action was three weeks ago. The latest image tag is 23 days old. Checking the latest geonode/geoserver image:

docker run --rm geonode/geoserver:latest ls /usr/local/tomcat/webapps/geoserver/WEB-INF/lib/ | grep gt-complex 
gt-complex-29.3.jar

EDIT: Running on 2.23.3-v2 the jar is not available (Docker term latest does not mean latest release, but latest build^^):

docker run --rm geonode/geoserver:2.23.3-v2 ls /usr/local/tomcat/webapps/geoserver/WEB-INF/lib/ | grep gt-complex

Another EDIT:

Seems that for 2.23.3 and 2.24.4 the fix had been applied for the -v2 versions. The -v1 still include the gt-complex jar.

[ridoo]

@giohappy can you tell, why the latest Docker builds still include the gt-complex jars?

[etj]

@ridoo that version is patched, look at its date.

Recent versions have been patched, i.e. the vulnerable jars have been replaced with the patched jars. Older version for which the patch was not available, have been "remediated", that is the jars have been removed.

You can tell the patched jars by looking at their timestamp, which is 11 June

[etj]

These are the non-vulnerable docker images, where "patched" and "remed" follow the definition in the above comment:

The rationale was:

• with a script, all the geoserver.war files on https://artifacts.geonode.org have been remediated, so that any new build was secure
• as soon as a patch was available, the related war version was updated and replaced on artifacts.geonode.org

About the docker images:

• All the GeoServer images used since GeoNode 4.2.0 were fixed (either patched or remediated). This means that any GeoNode or GeoNode project after 4.2.0 are secure.
• Previous GeoServer images are only used by vanilla GeoNode, and are NOT secure. These old images are not have an automated task, and recreating them from scratch would need extensive testing. Since they are well over they EOL they have not been updated. If we want each artifact to be sacure we may need to delete them, but this would prevent any exisiting instance to be rebuilt.
• Previous GeoNode projects build their GeoServer image locally by themselves, using the war file on artifacts.geonode, thus are secure

[etj]

@ridoo please don't use or recommend the 2.24.3-v2 image, it was made for testing and is going to be removed. In fact it's not referenced in any branch or sample configuration file.

[EHJ-52n]

Recent versions have been patched, i.e. the vulnerable jars have been replaced with the patched jars. Older version for which the patch was not available, have been "remediated", that is the jars have been removed.

You can tell the patched jars by looking at their timestamp, which is 11 June

This is totally confusing and misleading, when following the official documentation, that says, gt-complex-30.3 is unsafe, but 30.4 is safe (see https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w).

[etj]

@EHJ-52n The remediation removes some GeoServer functionalities (usually not used in GeoNode), so providing the patched version of the jars prevents issues in that direction. Feel free to remove those jars if you don't feel that your instance is secure. We probed all the images with a POC attack and they are safe. Creating an image with a different version of GeoServer requires some effort in testing that all the functionalities are properly working, so in the next future we will provide an image with GeoServer 2.25 If you like, feel free to provide a full covering test using a different geotools release in geoserver 2.24.3

[EHJ-52n]

Are you able to share the POC attack somewhere, hence everyone can verify that theire GeoServer instances are patched?

[giohappy]

Are you able to share the POC attack somewhere, hence everyone can verify that theire GeoServer instances are patched?

@EHJ-52n for security reasons the POC attack won't be shared. We can grant that the images listed above are safe.

Sooner then later we will build Geoserver 2.25.1 for GeoNode and test it on master and 4.3.x. Hopefully we can release 4.3.1 targeting the new Geoserver version.

[EHJ-52n]

@giohappy I expected this and agree not to share, but there was a little bit of hope. Thanks for sharing all this with us!

Thank you for your work!

[ridoo]

@etj Thanks for your input and clarifications. @nicokant if you agree, this issue can be closed. If you have other concerns feel free to comment.

[mirandadam]

@etj , thanks for the clarifications. I started investigating on my own, mainly focused on whether building from the dockerfile in this repository would generate a patched image.

TL;DR; - The image from https://artifacts.geonode.org/geoserver/2.24.3/geoserver.war is indeed patched. Evidence and caveat below.

Long-winded:

Geoserver's notes on version 2.24.3 provide a patch for that version. I then proceeded to investigate whether that is indeed in the latest version of geonode.org's image for 2.24.3:

mkdir compare
cd compare
wget https://sourceforge.net/projects/geoserver/files/GeoServer/2.24.3/geoserver-2.24.3-patches.zip
wget https://artifacts.geonode.org/geoserver/2.24.3/geoserver.war
wget -O geoserver-2.24.3-war.zip https://sourceforge.net/projects/geoserver/files/GeoServ
er/2.24.3/geoserver-2.24.3-war.zip/download

After downloading, sha256sum * gives:

8e644004a5b038d1ca288857c19147c9f7194fd975fb238614d7da816aecfffd geoserver-2.24.3-patches.zip c7edc2bb40cf5dfe7e5f41d29dba3fe5b67cdf86e418ad1e202e48f1cd56bc00 geoserver-2.24.3-war.zip 095793102ad6c520c1cf0c2dc2a28e728eda499954642dd4eaaaafa175c234a2 geoserver.war

Extracting the files:

# downloaded from geonode.org:
unzip geoserver.war -d geoserver_from_geonode.org/
# geoserver official patches:
unzip geoserver-2.24.3-patches.zip -d geoserver-2.24.3-patches/
# geoserver official 2.24.3 war:
unzip geoserver-2.24.3-war.zip -d geoserver-2.24.3-war/
unzip geoserver-2.24.3-war/geoserver.war -d geoserver-2.24.3-war/geoserver/

Comparing versions of all the files in the patch:

$ find . -name 'gt-complex*.jar' -exec sha256sum '{}' ';'
0514742ceee76ceb8d92ce1c47052dda3c7d742b0ededf6d197ac9caf24151e4  ./geoserver-2.24.3-war/geoserver/WEB-INF/lib/gt-complex-30.3.jar
851267a0ee830e283b2b97ca2abb8a755245443445bf2545f807ac9ce56ce1ec  ./geoserver_from_geonode.org/WEB-INF/lib/gt-complex-30.3.jar
851267a0ee830e283b2b97ca2abb8a755245443445bf2545f807ac9ce56ce1ec  ./geoserver-2.24.3-patches/gt-complex-30.3.jar

$ find . -name 'gt-app-schema*.jar' -exec sha256sum '{}' ';'
6445ba95817f5702d6d4691dabdc60b41c42af1c01f5b25f2617132ff015ea67  ./geoserver-2.24.3-war/geoserver/WEB-INF/lib/gt-app-schema-resolver-30.3.jar
6445ba95817f5702d6d4691dabdc60b41c42af1c01f5b25f2617132ff015ea67  ./geoserver_from_geonode.org/WEB-INF/lib/gt-app-schema-resolver-30.3.jar
a13364d99d2aa67226aa45d40394fd8b22cdf186f677e1af199615c32216dd77  ./geoserver-2.24.3-patches/gt-app-schema-30.3.jar

$ find . -name 'gt-xsd-core*.jar' -exec sha256sum '{}' ';'
01bbbcffeb353c884ff67add1f0ffd2f6433851aca0b75e47656dc68dfb246a0  ./geoserver-2.24.3-war/geoserver/WEB-INF/lib/gt-xsd-core-30.3.jar
0484668e0038000b44d5f1f3c362d6b4e20a457344983a2cc8089c7c8a99f7f6  ./geoserver_from_geonode.org/WEB-INF/lib/gt-xsd-core-30.3.jar
0484668e0038000b44d5f1f3c362d6b4e20a457344983a2cc8089c7c8a99f7f6  ./geoserver-2.24.3-patches/gt-xsd-core-30.3.jar

Conclusion: gt-complex-30.3.jar and gt-xsd-core-30.3.jar have been patched, however gt-app-schema-30.3.jar from the patch is not in the image (there is a similarly named gt-app-schema-resolver-30.3.jar, though).

I have no idea whether gt-app-schema-30.3.jar is necessary or not. It being in the patch suggests it is. It not being in the original geoserver WAR and having no reference to it in the other packages in the patch, suggests that, unless it was already there for a different reason, it isn't necessary. Hence the caveat.

[etj]

@mirandadam the gt-schema-resolver is needed for some internal features to work. The gt-schema is only required if you installed the app schema plugin; The default war built for Geonode does not include such plugin. Such jar has been provided in the geoserver patch since it fixes the vulnerability in that specific plugin.

[nicokant]

I agree, thanks everyone for the clarifications and the investigations!

[ridoo]

@etj in your patch-matrix you have 2.24.2-v1 and 2.24.2-latest (both having digest 43e044f314c6b43f27fce38991f18835b806d72a2789d2dd635efb4ec246bfbc) but

docker run --rm geonode/geoserver:2.24.2-latest ls /usr/local/tomcat/webapps/geoserver/WEB-INF/lib/ | grep gt-complex

report that gt-complex-30.2.jar is still in use. To my knowledge the versions 30.0 <= GeoTools < 30.4 are affected, so I would be happy, if you could double check these geonode/geoserver imagas are really fixed.

[giohappy]

@ridoo as mentioned by @etj those jars have been patched. They have the same version but their content is not the same as the original gt-complex-30.2.jar

[ridoo]

Ok, good. Thanks @giohappy .. people getting nervous because of (human and automatic) vulnerability scanners alerts.

[giohappy]

We're on the same boat @ridoo :) and I was also concerned with the solution of patching jars with the same version numbers, but this was required to avoid breaking things in previous GS versions.

[jodygarnett]

Are you able to share the POC attack somewhere, hence everyone can verify that theire GeoServer instances are patched?

@EHJ-52n for security reasons the POC attack won't be shared. We can grant that the images listed above are safe.

Sooner then later we will build Geoserver 2.25.1 for GeoNode and test it on master and 4.3.x. Hopefully we can release 4.3.1 targeting the new Geoserver version.

Feedback requested

The attack is widely available online within 1 day of disclosure, and it automated tools within 2 days of disclosure. Based on this what is your feedback on including POC in CVE report?

The main reason I see for including POC is that then folks are redirected to the origional report (which has instructions for mitigation). Presently folks are finding the POC on pages that try to summarize mitigation approach resulting in a misleading message: it sounds like some prior releases are patched, but all that exists is some hotfix jars that can be used to patch your system after the fact...

[giohappy]

hi @jodygarnett we can copy here a link to the CVE report, but it's up to the Geoserver team to decide whether to publish a POC attack.

[jodygarnett]

Understood, it does not seem common, I am just annoyed with the messaging.

At least we have more control now.

[giohappy]

FYI geonode/geoserver:2.24.4-v1 has been published.