The documentation update instructions <https://docs.geotools.org/latest/userguide/welcome/upgrade.html> are available, scroll down to GeoTools 25.x (which is the earliest this fix has been made available).
If I was updating an application I would: 1. Search for GeoTools.getInitialContext() <https://docs.geotools.org/latest/javadocs/org/geotools/util/factory/GeoTools.html#getInitialContext--> and GeoTools.getInitialContext(Hints). 2. If you see InitialContext.lookup(name) is being used, replace it with GeoTools.jndiLookup(name) <https://docs.geotools.org/latest/javadocs/org/geotools/util/factory/GeoTools.html#jndiLookup-java.lang.String-> . The getInitialContext() methods are now deprecated (or removed) making it easier to locate code that requires fixing. Notes: - If you find the restriction do not match your application requirements use GeoTools.setJNDINameValidator(Predicate<String>) <https://docs.geotools.org/latest/javadocs/org/geotools/util/factory/GeoTools.html#setJNDINameValidator-java.util.function.Predicate-> to define an appropriate policy. You can use DEFAULT_JNDI_VALIDATOR as a code-example <https://github.com/geotools/geotools/blob/main/modules/library/metadata/src/main/java/org/geotools/util/factory/GeoTools.java#L312-L327> when making your own. - If you already have an initial context use GeoTools.init(InitialContext) <https://docs.geotools.org/latest/javadocs/org/geotools/util/factory/GeoTools.html#init-javax.naming.InitialContext-> to configure GeoTools to make use of it. Code can use GeoTools.isJNDIAvailable() <https://docs.geotools.org/latest/javadocs/org/geotools/util/factory/GeoTools.html#isJNDIAvailable--> to check if the library has been setup with an initial context or if it was possible to create one. - Finally the GeoTools.fixName(context, name) method was useless and unused, and has been removed (GEOT-7114 <https://osgeo-org.atlassian.net/browse/GEOT-7114>). Note this problem is for any use of JNDI and is not specific to the GeoTools library. You may wish to uses these methods to safeguard your application. -- Jody Garnett On Apr 12, 2022 at 10:58:48 PM, Jody Garnett <jody.garn...@gmail.com> wrote: > Good evening everyone, with the recent Log4Shell vulnerabilities it has > come to our attention that unchecked JNDI lookups are inadvisable. > > The GeoTools utility class centralizes JNDI lookups in the library, and we > have taken the opportunity to introduce a check limiting JNDI lookups to > no-schema and java lookups: > > DataSource dataSource = (DataSource) GeoTools.jndiLookup(name); > > > This fix is available in the newly made GeoTools 26.4, GeoTools 25.6 and > GeoTools 24.6 releases (which are available in maven and on source forge > but I have not made blog posts for them all yet). > > If you have any questions please reply to this email. > > For more information: > > - > > https://github.com/geotools/geotools/security/advisories/GHSA-jvh2-668r-g75x > - https://nvd.nist.gov/vuln/detail/CVE-2022-24818 > - > > http://geotoolsnews.blogspot.com/2022/04/unchecked-jndi-lookups-in-geotools-cve.html > > > -- > Jody Garnett >
_______________________________________________ GeoTools-GT2-Users mailing list GeoTools-GT2-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geotools-gt2-users
