[Geoserver-devel] [JIRA] (GEOS-10751) Known Vulnerabilities in Geoserver (v 2.21.2)

Thu, 17 Nov 2022 02:35:52 -0800 

Benjamin Kenner ( 
https://osgeo-org.atlassian.net/secure/ViewProfile.jspa?accountId=636e72a4d7c060fdaa5c2d00
 ) *created* an issue

GeoServer ( 
https://osgeo-org.atlassian.net/browse/GEOS?atlOrigin=eyJpIjoiYTA0OGVhN2IzODdiNGQwN2I1MWY3OGExM2NhYzVhMTkiLCJwIjoiaiJ9
 ) / Bug ( 
https://osgeo-org.atlassian.net/browse/GEOS-10751?atlOrigin=eyJpIjoiYTA0OGVhN2IzODdiNGQwN2I1MWY3OGExM2NhYzVhMTkiLCJwIjoiaiJ9
 ) GEOS-10751 ( 
https://osgeo-org.atlassian.net/browse/GEOS-10751?atlOrigin=eyJpIjoiYTA0OGVhN2IzODdiNGQwN2I1MWY3OGExM2NhYzVhMTkiLCJwIjoiaiJ9
 ) Known Vulnerabilities in Geoserver (v 2.21.2) ( 
https://osgeo-org.atlassian.net/browse/GEOS-10751?atlOrigin=eyJpIjoiYTA0OGVhN2IzODdiNGQwN2I1MWY3OGExM2NhYzVhMTkiLCJwIjoiaiJ9
 )

Issue Type: Bug Affects Versions: 2.21.2 Assignee: Unassigned Created: 
17/Nov/22 11:34 AM Priority: Medium Reporter: Benjamin Kenner ( 
https://osgeo-org.atlassian.net/secure/ViewProfile.jspa?accountId=636e72a4d7c060fdaa5c2d00
 )

Hi all, we are running Geoserver 2.21.2. on top of the kartoza container image. 
As we do regular vulnerability scans within our container environment with Aqua 
we discovered a few vulnerabilities related to the geoserver source code 
especially jar libraries included in the geoserver code base.

The following vulnerabilities (only high or critical rated ones) are identified 
by the mentioned solution. Some of the findings include a recommendation for 
remediation.

*Vulnerability Name* *Severity* *Resource* *Resource Path* *Solution* 
CVE-2022-41853 critical hsqldb …/geoserver/WEB-INF/lib/hsqldb-2.4.1.jar Upgrade 
package hsqldb to version 2.7.1 or above. CVE-2022-41852 critical 
commons-jxpath …/geoserver/WEB-INF/lib/commons-jxpath-1.3.jar No Vendor fix 
available CVE-2020-8441 critical jyaml …/geoserver/WEB-INF/lib/jyaml-1.3.jar No 
Vendor fix available CVE-2022-22978 critical spring-security-core 
…/geoserver/WEB-INF/lib/spring-security-core-5.1.13.RELEASE.jar Upgrade package 
spring-security-core to version 5.5.7 or above. CVE-2020-15232 critical 
print-lib …/geoserver/WEB-INF/lib/print-lib-2.1.5.jar Upgrade package print-lib 
to version 3.24 or above. CVE-2022-25647 high 
gson.../geoserver/WEB-INF/lib/gson-2.3.1.jar Upgrade package gson to version 
2.8.9 or above. CVE-2022-40149 high jettison 
…/geoserver/WEB-INF/lib/jettison-1.4.1.jar Upgrade package jettison to version 
1.5.1 or above. CVE-2022-40150 high jettison 
…/geoserver/WEB-INF/lib/jettison-1.4.1.jar No Vendor fix available 
CVE-2022-40151 high xstream …/geoserver/WEB-INF/lib/xstream-1.4.19.jar No 
Vendor fix available CVE-2022-40152 high xstream 
…/geoserver/WEB-INF/lib/xstream-1.4.19.jar No Vendor fix available 
CVE-2022-40153 high xstream …/geoserver/WEB-INF/lib/xstream-1.4.19.jar No 
Vendor fix available CVE-2022-40154 high xstream 
…/geoserver/WEB-INF/lib/xstream-1.4.19.jar No Vendor fix available 
CVE-2022-40155 high xstream …/geoserver/WEB-INF/lib/xstream-1.4.19.jar No 
Vendor fix available CVE-2022-40156 high xstream 
…/geoserver/WEB-INF/lib/xstream-1.4.19.jar No Vendor fix available 
CVE-2021-22112 high spring-security-web 
…/geoserver/WEB-INF/lib/spring-security-web-5.1.13.RELEASE.jar Upgrade package 
spring-security-web to version 5.2.9 or above. CVE-2022-3171 high protobuf-java 
…/geoserver/WEB-INF/lib/protobuf-java-3.9.1.jar Upgrade package protobuf-java 
to version 3.16.3 or above. CVE-2022-22950 high spring-core 
…/geoserver/WEB-INF/lib/spring-core-5.2.22.RELEASE.jar Upgrade package 
spring-core to version 5.3.17 or above.

May you are able to mitigate the vulnerabilities by follow the recommendation 
and update the corresponding packages within your code base?
Are these vulnerabilities already known and is remediation on the roadmap of 
future releases? Are there any dependencies that make it impossible to address 
this vulnerabilities?

Many thanks for your support and great work!

( 
https://osgeo-org.atlassian.net/browse/GEOS-10751#add-comment?atlOrigin=eyJpIjoiYTA0OGVhN2IzODdiNGQwN2I1MWY3OGExM2NhYzVhMTkiLCJwIjoiaiJ9
 ) Add Comment ( 
https://osgeo-org.atlassian.net/browse/GEOS-10751#add-comment?atlOrigin=eyJpIjoiYTA0OGVhN2IzODdiNGQwN2I1MWY3OGExM2NhYzVhMTkiLCJwIjoiaiJ9
 )

Get Jira notifications on your phone! Download the Jira Cloud app for Android ( 
https://play.google.com/store/apps/details?id=com.atlassian.android.jira.core&referrer=utm_source%3DNotificationLink%26utm_medium%3DEmail
 ) or iOS ( 
https://itunes.apple.com/app/apple-store/id1006972087?pt=696495&ct=EmailNotificationLink&mt=8
 ) This message was sent by Atlassian Jira (v1001.0.0-SNAPSHOT#100210- 
sha1:9b34d7c )
_______________________________________________
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel














    











					Reply via email to