GeoServer XEE Vulnerability

GeoServer has encountered an XML External Entity (XEE) vulnerability permitting an unauthenticated read access to server files.

This vulnerability GEOS-7032 is addressed in the following releases and we strongly encourage all users to upgrade:

Thanks to Ben Caradoc-Davies (Transient Software) for the maintenance release along with Jody Garnett (Boundless) and Andrea Aime (GeoSolutions) for the unscheduled patch releases provided above.

If you are running an earlier version of GeoServer and would like to generate a patch release please contact one of our commercial support providers, or join us on geoserver-devel to volunteer.

About XEE

For more information on XEE see owasp articles on XML External Entity Processing and XML External Entity Attack provided to geoserver-devel by Johannes Kröger.

Responsible Disclosure

If you encounter a security vulnerability in GeoServer, or any other open source software, please take care to report the issue in a responsible fashion:

  • Keep exploit details out of issue report (send to developer/PSC privately – just like you would do for sensitive sample data)
  • Be prepared to work with Project Steering Committee (PSC) members on a solution
  • Keep in mind PSC members are volunteers and an extensive fix may require fundraising / resources

If you are not in position to communicate in public (or make use of the issue tracker) please consider commercial support, contacting a PSC member privately or contacting us via the Open Source Geospatial Foundation at info@osgeo.org.

We will be revising the GeoServer Developers Guide to clarify in the coming days.

2 Comments

  1. Zeno
    Posted July 2, 2015 at 2:06 am | Permalink

    Good Morning!

    I would like to install extensions for GML -Vector Data Sources.

    What do I have to download from the web page http://geoserver.org/download/

    Thanks for your reply!!!

    Zeno

  2. Posted July 3, 2015 at 5:44 pm | Permalink

    There is no extension for the consumption of GML vector data sources, instead GeoServer WFS protocol is responsible for GML publication. You can use a WFS Transaction operation to insert GML into a data source such as PostGIS, but since GML is an interchange format to exchange information between systems it does not make much sense to use it locally (no spatial index for example).

    You are welcome to write a GML DataStore, the GeoTools library does provide GML parsers.

Download GeoServer