CVE-2023-25158

描述

### Impact GeoTools includes support for OGC Filter expression language parsing, encoding and execution against a range of datastore. SQL Injection Vulnerabilities have been found when executing OGC Filters with JDBCDataStore implementations: 1. ``PropertyIsLike`` filter * Requires PostGIS DataStore with "encode functions" enabled * Or any JDBCDataStore (all relational databases) with String field (no mitigation) 3. ``strEndsWith`` function * Requires PostGIS DataStore with "encode functions" enabled 5. ``strStartsWith`` function * Requires PostGIS DataStore with "encode functions" enabled 6. ``FeatureId`` filter * Requires JDBCDataStore (all relational databases) with prepared statements disabled and table with String primary key (Oracle not affected, SQL Server and MySQL have no settings to enabled prepared statements, PostGIS does) 7. ``jsonArrayContains`` function * Requires PostGIS and Oracle DataStore with String or JSON field 8. ``DWithin`` filter * Happens only in Oracle DataStore, no mitigation ### Patches * GeoTools 28.2 * GeoTools 27.4 * GeoTools 26.7 * GeoTools 25.7 * GeoTools 24.7 ### Workarounds Partial mitigation: * In PostGIS DataStore disable "encode functions" * In any PostGIS enable "prepared statements" (only database with such settings) ```java Map<String, Object> params = new HashMap<>(); params.put("dbtype", "postgis"); params.put("host", "localhost"); params.put("port", 5432); params.put("schema", "public"); params.put("database", "database"); params.put("user", "postgres"); params.put("passwd", "postgres"); params.put("preparedStatements", true ); // mitigation params.put("encode functions", false ); // mitigation DataStore dataStore = DataStoreFinder.getDataStore(params); ``` ### References * [OGC Filter SQL Injection Vulnerabilities](https://github.com/geoserver/geoserver/security/advisories/GHSA-7g5f-wrx8-5ccf) (GeoServer)

如何修補 CVE-2023-25158

要修補 CVE-2023-25158,請將受影響套件升級到下列已修補版本。

• —升級至 28.2 或更新版本

CVE-2023-25158 正在被利用嗎?

低 — EPSS 為 4.7%,目前沒有觀察到大規模利用活動。

受影響套件(1)