Skip to content

GeoServer's Server Status shows sensitive environmental variables and Java properties

Moderate severity GitHub Reviewed Published Jul 1, 2024 in geoserver/geoserver • Updated Jul 1, 2024

Package

maven org.geoserver.web:gs-web-app (Maven)

Affected versions

>= 2.10.0, < 2.24.4
>= 2.25.0, < 2.25.1

Patched versions

2.24.4
2.25.1
maven org.geoserver:gs-main (Maven)
>= 2.10.0, < 2.24.4
>= 2.25.0, < 2.25.1
2.24.4
2.25.1

Description

GeoServer's Server Status page and REST API (at /geoserver/rest/about/status) lists all environment variables and Java properties to any GeoServer user with administrative rights as part of those modules' status message.

These variables/properties can also contain sensitive information, such as database passwords or API keys/tokens, for example:

Additionally, many community-developed GeoServer container images export other credentials from their start-up scripts as environment variables to the GeoServer (java) process, such as:

  • GeoServer admin and master (root) passwords

  • Tomcat management application password

  • HTTPS/TLS certificate key store password

  • AWS S3 bucket access keys

The precise scope of the issue depends on which container image is used and how it is configured.

Note

Some container images allow passing secrets as files (eg: POSTGRES_PASSWORD_FILE), or randomly generating passwords on start-up. While this is promoted as best-practice1, if its start-up script exports these as environment variables to GeoServer, they are also impacted by this issue.

Impact

The “about status” API endpoint (at /geoserver/rest/about/status) which powers the Server Status page is only available to administrators.

Depending on the operating environment, administrators might have legitimate access to credentials in other ways, but this issue defeats more sophisticated controls (like break-glass access to secrets or role accounts).

By default, GeoServer only allows same-origin authenticated API access. This limits the scope for a third-party attacker to use an administrator’s credentials to gain access to credentials (ie: requires XSS).

We were unable to determine any other conditions under which the GeoServer REST API may be available more broadly.

Fixes / remediation

GeoServer 2.24.4 and 2.25.1 hide all environment variables and Java system properties by default, with no further action required by GeoServer administrators.

There are new settings to allow an administrator to display these again – effectively reverting this security fix. We strongly recommend administrators leave these settings as-is, and use alternative mechanisms to access environment variables (instructions below).

If you're using GeoServer in a container runtime (such as Docker or Kubernetes) or from some other distributor's packages, you'll need to wait for the maintainer to update the version of GeoServer used in their image.

Warning

If you run GeoServer with parameterized catalog settings (-DALLOW_ENV_PARAMETRIZATION=true), a GeoServer administrator could use this to access any environment variable or Java property by including it in some field which is rendered by the UI (such as the description field), even with this fix.

Advice for container / Docker image maintainers

Update container images to use GeoServer 2.24.4 or 2.25.1 to get the bug fix.

Please leave environment variables and Java system properties hidden by default. If you provide the option to re-enable it, communicate the impact and risks so that users can make an informed choice.

Container images should practice "defence in depth", to limit the impact when it is configured to show environment variables and/or properties:

  • Pass secrets to the container as either:

    • files which are only readable by the GeoServer process/UID, or,
    • references (identifiers) to a secret stored in a cloud provider's metadata or secret management service
  • Pass secrets to GeoServer by generating configuration files as part of your start-up scripts, rather than passing variables/properties or relying on parameterized catalog settings.

  • Ensure any configuration files with secrets are not readable by other users.

  • Clear all environment variables which contain secrets before starting GeoServer.

    Alternatively: start up GeoServer with only the environment variables it needs, and no secrets.

  • Don't pass secrets as command-line flags – these are shown in ps to all users!

Alternatives for displaying GeoServer's environment variables

  • On Linux, you can get all environment variables set at start-up time for a running process with:

    tr '\0' '\n' < /proc/${GEOSERVER_PID}/environ
  • On Windows, SysInternals' Process Explorer can show running processes' environment variables.

  • Current versions of macOS do not allow arbitrary access to other running processes' environment variables. Disabling these restrictions (on a macOS level) would significantly reduce the overall security of the system.

References

Footnotes

  1. Docker Compose: How to use secrets in Docker Compose, Docker Swarm: Build support for Docker Secrets into your images

@jodygarnett jodygarnett published to geoserver/geoserver Jul 1, 2024
Published by the National Vulnerability Database Jul 1, 2024
Published to the GitHub Advisory Database Jul 1, 2024
Reviewed Jul 1, 2024
Last updated Jul 1, 2024

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
High
User interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N

EPSS score

0.049%
(19th percentile)

Weaknesses

CVE ID

CVE-2024-34696

GHSA ID

GHSA-j59v-vgcr-hxvf

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.