Skip to content

Unchecked JNDI lookups in GeoWebCache

Critical
aaime published GHSA-4v22-v8jp-438r Apr 14, 2022

Package

maven GeoWebCache (Maven)

Affected versions

< 1.21.0, < 1.20.2, < 1.19.3

Patched versions

1.21.0, 1.20.2, 1.19.3

Description

Impact

The GeoWebCache disk quota mechanism can perform an unchecked JNDI lookup, which in turn can be used to perform class deserialization and result in arbitrary code execution.
While in GeoWebCache the JNDI strings are provided via local configuration file, in GeoServer a user interface is provided to perform the same, that can be accessed remotely, and requires admin-level login to be used.

Patches

The lookups are going to be restricted in GeoWebCache 1.21.0, 1.20.2, 1.19.3.

Workarounds

For stand-alone GeoWebCache, the attacker must not be able to access the file system where the GWC configuration is hosted, as well as not allowing access to the REST API at geowebcache/rest.
For GeoServer instead, protection can be achieved by making the GUI (geoserver/web) and the REST configuration (geoserver/rest) unreachable from remote hosts, in addition to protecting access to the file system where the GeoServer configuration is stored and closing the embedded GeoWebCache REST API at geoserver/gwc/rest.

Severity

Critical
9.1
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
High
User interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE ID

CVE-2022-24846