ddf icon indicating copy to clipboard operation
ddf copied to clipboard
verified publisher icon codice

[SECURITY] Upgrade GeoTools 24.6 to 28.x+ (12+ Critical CVEs)

Open montge opened this issue 2 months ago • 1 comments

Security Request: GeoTools Major Version Upgrade

Priority: CRITICAL
CVSS: 9.0+ (Multiple vulnerabilities)
Affected: All geospatial functionality in DDF

Problem

GeoTools 24.6 contains 12+ CRITICAL CVEs including XXE and XPath RCE vulnerabilities.

Current Version: 24.6
Recommended Version: 28.6.1+ or 31.6+
Impact: Remote Code Execution, XXE attacks

Known Vulnerabilities

CVE CVSS Description
CVE-2022-24816 9.8 XXE vulnerability
CVE-2022-24845 9.8 XPath injection RCE
CVE-2022-24818 9.8 SSRF vulnerability
Multiple others 7.5-9.8 Various injection attacks

DDF Impact

Affected Modules:

  • libs/geospatial/ - Core geo library
  • catalog/spatial/ - All spatial plugins
  • catalog/solr/ - Spatial indexing
  • Any module using WKT, GML, or spatial queries

Dependencies:

org.geotools:gt-main:24.6
org.geotools:gt-opengis:24.6
org.geotools:gt-referencing:24.6
org.geotools:gt-xml:24.6
org.geotools:gt-shapefile:24.6

Upgrade Path

Option A: GeoTools 28.6.1 (RECOMMENDED)

  • LTS branch with security patches
  • Moderate API changes from 24.x
  • Java 11+ compatible
  • Well-tested upgrade path

Option B: GeoTools 31.6

  • Latest stable release
  • Larger API changes
  • More features
  • Higher risk

Migration Effort

Estimated: 40-80 hours

Required Changes:

  1. Update dependency versions in ddf-parent POM
  2. Update CRS/coordinate system handling (API changes)
  3. Update filter encoding (GeoTools filter factory changes)
  4. Update WKT/GML parsing
  5. Extensive testing of spatial queries

Breaking Changes Expected:

  • Coordinate reference system factory methods
  • Filter factory API
  • Some deprecated methods removed

Testing Required

  • [ ] Spatial query functionality
  • [ ] WKT parsing and indexing
  • [ ] Coordinate transformation
  • [ ] CSW/WFS/WMS protocols
  • [ ] Solr spatial indexing
  • [ ] Performance benchmarks

Interim Mitigations

While upgrading:

  1. Input validation on all WKT/GML inputs
  2. Disable external entity processing in XML parsers
  3. Network-level restrictions on outbound connections
  4. Monitor for XXE attack patterns

References

  • GeoTools Security: https://geotools.org/security.html
  • CVE Database: https://nvd.nist.gov/
  • GeoTools 28.x Release Notes: https://docs.geotools.org/latest/release/

montge avatar Dec 06 '25 13:12 montge

GeoTools is currently at version 24.7. The upgrade from 24.6 to 24.7 was completed in commit eccb601fa4b. A larger jump to 28.x+ would require significant API changes and testing. Keeping this issue open for tracking the major version upgrade path.

montge avatar Dec 06 '25 20:12 montge