Hey folks,
There will be an important GeoServer drop this upcoming Tuesday where we do a simultaneous releases of GeoServer 2.25.2 and 2.24.4 - and ask folks to update promptly.
Please plan your time this week accordingly.
https://github.com/geoserver/geoserver/wiki/Release-Schedule
Thanks to my employer GeoCat (and customers) we will be doing a GeoServer 2.23.6 release for those not in a position to upgrade quite yet.
Jody
Hey everyone,
I trust if you are responsible for a GeoServer instance you managed to update in the last two weeks.
The details vulnerabilities mentioned are now available:
CVE-2024-36401: Remote Code Execution (RCE) vulnerability in evaluating property name expressions
CVE-2024-34696: GeoServer’s Server Status shows sensitive environmental variables and Java properties
CVE-2024-24749: Classpath resource disclosure in GWC Web Resource API on Windows / Tomcat
I am not going to go over the details in email, one of the goals of using CVE system to avoid duplicated or outdated information. So you always have a single point of truth where you can check on the status.
As we are relatively new to using the CVE system to broadcast vulnerabilities I am curious how it is working for you? It is quite complicated to indicate the version range / version patch information to correctly show up for automated scans. If your infrastructure does use automated scans please let me know if scan was able to detect a vulnerable version.
A lot of folks put work into GeoServer each month, and this kind of troubleshooting takes some effort to resolve and communicate. If you are a public institution or service provider using GeoServer instance please consider volunteering on the geoserver-security list.
We would also really appreciate more participation around testing the release candidates each march / September.
These activities are where we as a community share effort, and manage risk, as a team - so it is not so expensive to put out updates each month.
Thanks to Steve Ikeoka, David Blasby and Andrea for working on fixes/mitigations. I can also acknolwege Peter and myself for getting release out promptly. This has been a good team effort.
And thank you for patching yourself over the last week (and if you have not done so already you best hustle…).
–
Jody Garnett
Sorry, to avoid further confusion a short update. Ik see some reference to other CVE’s then I was referring to. Maybe caused by me.
But my prime question was that I found a reference stating that for NCSC-2024-0274 there where fixes released for 2.25, 2.24, 2.23, 2.21. Version 2.22 was missing in this list and if there was a reason for that or that we could use the fixes o versie 2.21 als on 2.22.
On 03-07-2024 20:44, Jody Garnett wrote:
Aside: What is NCSC-2024-0274 number? Looks to be a country specific number for CVE-2024-36401 ...
On Wed, Jul 3, 2024 at 9:46 PM Jody Garnett <jody.garnett@anonymised.com…> wrote:
But my prime question was that I found a reference stating that for NCSC-2024-0274 there where fixes released for 2.25, 2.24, 2.23, 2.21. Version 2.22 was missing in this list and if there was a reason for that or that we could use the fixes o versie 2.21 als on 2.22.
When a new vulnerability is known and a fix is merged, commercial support providers have the time to
contact their clients, advise that a patch is needed (without further details), and perform a timely delivery for it.
In the case of GeoSolutions, we enumerated all clients, found the ones that were not in a position to upgrade
to an official release right away, and prepared a hotfix for their specific version.
As the public announcement went out, we took the occasion to share the hot fixes with the rest of the community as well.
Cheers
Andrea (GeoSolutions)