[Geoserver-devel] [JIRA] (GEOS-10751) Known Vulnerabilities in Geoserver (v 2.21.2)

Benjamin Kenner created an issue

GeoServer / BugGEOS-10751

Known Vulnerabilities in Geoserver (v 2.21.2)

Issue Type:

BugBug

Affects Versions:

2.21.2

Assignee:

Unassigned

Created:

17/Nov/22 11:34 AM

Priority:

MediumMedium

Reporter:

Benjamin Kenner

Hi all, we are running Geoserver 2.21.2. on top of the kartoza container image. As we do regular vulnerability scans within our container environment with Aqua we discovered a few vulnerabilities related to the geoserver source code especially jar libraries included in the geoserver code base.

The following vulnerabilities (only high or critical rated ones) are identified by the mentioned solution. Some of the findings include a recommendation for remediation.

Vulnerability Name

Severity

Resource

Resource Path

Solution

CVE-2022-41853

critical

hsqldb

…/geoserver/WEB-INF/lib/hsqldb-2.4.1.jar

Upgrade package hsqldb to version 2.7.1 or above.

CVE-2022-41852

critical

commons-jxpath

…/geoserver/WEB-INF/lib/commons-jxpath-1.3.jar

No Vendor fix available

CVE-2020-8441

critical

jyaml

…/geoserver/WEB-INF/lib/jyaml-1.3.jar

No Vendor fix available

CVE-2022-22978

critical

spring-security-core

…/geoserver/WEB-INF/lib/spring-security-core-5.1.13.RELEASE.jar

Upgrade package spring-security-core to version 5.5.7 or above.

CVE-2020-15232

critical

print-lib

…/geoserver/WEB-INF/lib/print-lib-2.1.5.jar

Upgrade package print-lib to version 3.24 or above.

CVE-2022-25647

high

gson

…/geoserver/WEB-INF/lib/gson-2.3.1.jar

Upgrade package gson to version 2.8.9 or above.

CVE-2022-40149

high

jettison

…/geoserver/WEB-INF/lib/jettison-1.4.1.jar

Upgrade package jettison to version 1.5.1 or above.

CVE-2022-40150

high

jettison

…/geoserver/WEB-INF/lib/jettison-1.4.1.jar

No Vendor fix available

CVE-2022-40151

high

xstream

…/geoserver/WEB-INF/lib/xstream-1.4.19.jar

No Vendor fix available

CVE-2022-40152

high

xstream

…/geoserver/WEB-INF/lib/xstream-1.4.19.jar

No Vendor fix available

CVE-2022-40153

high

xstream

…/geoserver/WEB-INF/lib/xstream-1.4.19.jar

No Vendor fix available

CVE-2022-40154

high

xstream

…/geoserver/WEB-INF/lib/xstream-1.4.19.jar

No Vendor fix available

CVE-2022-40155

high

xstream

…/geoserver/WEB-INF/lib/xstream-1.4.19.jar

No Vendor fix available

CVE-2022-40156

high

xstream

…/geoserver/WEB-INF/lib/xstream-1.4.19.jar

No Vendor fix available

CVE-2021-22112

high

spring-security-web

…/geoserver/WEB-INF/lib/spring-security-web-5.1.13.RELEASE.jar

Upgrade package spring-security-web to version 5.2.9 or above.

CVE-2022-3171

high

protobuf-java

…/geoserver/WEB-INF/lib/protobuf-java-3.9.1.jar

Upgrade package protobuf-java to version 3.16.3 or above.

CVE-2022-22950

high

spring-core

…/geoserver/WEB-INF/lib/spring-core-5.2.22.RELEASE.jar

Upgrade package spring-core to version 5.3.17 or above.

May you are able to mitigate the vulnerabilities by follow the recommendation and update the corresponding packages within your code base?
Are these vulnerabilities already known and is remediation on the roadmap of future releases? Are there any dependencies that make it impossible to address this vulnerabilities?

Many thanks for your support and great work!

Add Comment

Add Comment

Get Jira notifications on your phone! Download the Jira Cloud app for Android or iOS


This message was sent by Atlassian Jira (v1001.0.0-SNAPSHOT#100210-sha1:9b34d7c)

Atlassian logo