Impact
The GeoWebCache disk quota mechanism can perform an unchecked JNDI lookup, which in turn can be used to perform class deserialization and result in arbitrary code execution.
While in GeoWebCache the JNDI strings are provided via local configuration file, in GeoServer a user interface is provided to perform the same, that can be accessed remotely, and requires admin-level login to be used.
Patches
The lookups are going to be restricted in GeoWebCache 1.21.0, 1.20.2, 1.19.3.
Workarounds
For stand-alone GeoWebCache, the attacker must not be able to access the file system where the GWC configuration is hosted, as well as not allowing access to the REST API at geowebcache/rest.
For GeoServer instead, protection can be achieved by making the GUI (geoserver/web) and the REST configuration (geoserver/rest) unreachable from remote hosts, in addition to protecting access to the file system where the GeoServer configuration is stored and closing the embedded GeoWebCache REST API at geoserver/gwc/rest.
Impact
The GeoWebCache disk quota mechanism can perform an unchecked JNDI lookup, which in turn can be used to perform class deserialization and result in arbitrary code execution.
While in GeoWebCache the JNDI strings are provided via local configuration file, in GeoServer a user interface is provided to perform the same, that can be accessed remotely, and requires admin-level login to be used.
Patches
The lookups are going to be restricted in GeoWebCache 1.21.0, 1.20.2, 1.19.3.
Workarounds
For stand-alone GeoWebCache, the attacker must not be able to access the file system where the GWC configuration is hosted, as well as not allowing access to the REST API at
geowebcache/rest.For GeoServer instead, protection can be achieved by making the GUI (
geoserver/web) and the REST configuration (geoserver/rest) unreachable from remote hosts, in addition to protecting access to the file system where the GeoServer configuration is stored and closing the embedded GeoWebCache REST API atgeoserver/gwc/rest.