Tuesday, April 12, 2022

Unchecked JNDI lookups in GeoTools (CVE-2022-24818)

The recent log4shell vulnerability has brought to our attention that unchecked JNDI lookups are inadvisable. We have isolated the JNDI lookup code responsible in GeoTools and reported the vulnerability as GHSA-jvh2-668r-g75x / CVE-2022-24818.

To address this issue we are pleased to introduce the jndiLookup(String) function:

DataSource dataSource = (DataSource) GeoTools.jndiLookup(name);

This method is provides safe look-ups by default (limited to no-schema and java lookups). You may override this policy for your application by supplying a JNDI Name validator.

Please update your application to one of the patched releases: GeoTools 26.4, GeoTools 25.6 or GeoTools 24.6 (and following the update instructions).

The approach used (limiting lookups to no-schema and java lookups) is the same one taken by the Log4J project. You may wish to review your application for any use of InitialContext.lookup(fixedName), and consider making use of jndiLookup(String) as a resolution. For more information see the GeoTools utility class documentation, and javadocs.