GeoServer DB2 DataStore Extension has a JNDI Vulnerability via Store Connection

Vulnerability

In GeoServer with the DB2 extension installed, an authenticated administrator can create a new data store via the Vector Data Sources page using a DB2 JDBC connection. The connection parameters are not restricted, allowing an attacker to inject a specially crafted JDBC URL that triggers a JNDI lookup. This vulnerability affects all versions prior to 2.27.0 [1][2][3].

Exploitation

An attacker must be authenticated as an administrator and have access to the Vector Data Sources page. The attacker creates a new data store with a DB2 JDBC URL containing a malicious JNDI reference. The server processes the URL, performs the JNDI lookup, and deserializes untrusted data, leading to remote code execution [3].

Impact

Successful exploitation allows the attacker to execute arbitrary code on the GeoServer server with the privileges of the GeoServer process. This can lead to full compromise of the application and potentially the underlying system [2][3].

Mitigation

The issue is fixed in GeoServer version 2.27.0 [1][3]. Users with the DB2 extension should upgrade to this version or later. No workaround is mentioned in the available references; if upgrading is not immediately possible, disabling the DB2 extension or restricting access to the Vector Data Sources page may reduce risk [2][3].