Introduction: GeoTools, an open-source Java library, offers a variety of helpful tools and resources for geospatial data. However, a recently discovered vulnerability (CVE-2022-24818) has raised concerns surrounding several of the library’s data sources that execute unchecked JNDI lookups. These lookups can lead to class deserialization and, consequently, arbitrary code execution. Although the vulnerability shares a resemblance to the Log4J case, it only poses a threat if the JNDI names are user-provided and requires admin-level login to be triggered. Thankfully, this loophole has been addressed in recent GeoTools releases, such as versions 26.4, 25.6, and 24.6. It is strongly recommended that users incapable of upgrading ensure any downstream application does not permit the use of remotely provided JNDI strings.

Code Snippet: Here's an example of the type of code that could be affected by this vulnerability

// Geotools import statements
import org.geotools.data.DataStore;
import org.geotools.data.DataStoreFinder;
import org.geotools.data.simple.SimpleFeatureSource;
import org.geotools.factory.Hints;
import org.geotools.feature.DefaultFeatureCollection;
import org.geotools.feature.visitor.UniqueVisitor;

// Java import statements
import java.util.HashMap;
import java.util.Map;

// Code to create a data store and perform a JNDI lookup
Map<String, Object> dataStoreParams = new HashMap<>();
dataStoreParams.put("dbtype", "locationtech-jndi");
dataStoreParams.put("jndiReferenceName", "user_provided_jndi_string");
DataStore dataStore = DataStoreFinder.getDataStore(dataStoreParams);
SimpleFeatureSource featureSource = dataStore.getFeatureSource("example_schema");

Original References

- Official GeoTools Documentation
- GeoTools GitHub Repository

Exploit Details

1. An attacker provides a malicious JNDI string, which is then used in the GeoTools component to perform an unchecked JNDI lookup.
2. After the JNDI lookup, class deserialization occurs, which can potentially execute arbitrary code depending on the serialized content.

Mitigation Steps

1. Upgrade to GeoTools version 26.4, 25.6, or 24.6, where the unchecked JNDI lookup issue has been resolved.
2. If upgrading is not possible, ensure that any downstream application does not accept or use remotely provided JNDI strings for lookups, mitigating the risk of attackers providing malicious JNDI names.

By addressing these vulnerabilities and implementing the proper precautions, GeoTools users can continue to benefit from the valuable geospatial data tools and resources provided by the open-source Java library, while maintaining a secure and protected environment.

Timeline

Published on: 04/13/2022 21:15:00 UTC
Last modified on: 04/21/2022 18:00:00 UTC