Overview
A vulnerability has been discovered in an open-source library (GeoTools) used by RiskScape. After some analysis, we believe this vulnerability is low-risk for RiskScape users.
This exploit only affects users that read data from PostGIS bookmarks or data sources. The scope for exploit in RiskScape is limited - the specific details are outlined below, along with a mitigation option.
This vulnerability will be resolved in the next v1.4.0 release of RiskScape, scheduled for March. In the meantime, we recommend that you check any models received via email or from an otherwise untrusted source for this vulnerability (i.e. PostGIS bookmarks) before running them.
Details
The GeoTools vulnerability allows SQL injection when reading in data from databases such as Oracle or PostgreSQL. This vulnerable GeoTools code is used by the RiskScape PostGIS plugin.
RiskScape uses CQL filters with Geotools to improve the performance of applying a bookmark filter to the PostGIS dataset. However, these filters start life as RiskScape expressions, and so must be both valid CQL and a valid RiskScape expression to be passed on to the vulnerable code. According to the details of the exploit, the vulnerable CQL functions are limited to 6 specific functions, of which only one is installed by default in RiskScape - dwithin, but this is exploitable only with Oracle Spatial, which RiskScape does not support.
However, if a project contained a function with a name matching one of those shown to be vulnerable, it’s possible that the expression would be valid CQL and RiskScape expression language and so be at risk. To be exploitable, you must:
- Have the PostGIS plugin enabled
- Be reading data from a PostGIS database via a project bookmark or using the
bookmarkfunction - Be running models from a project that has been tampered with by a “bad actor”
Mitigation
If you are concerned, you can avoid this exploit by disabling the PostGIS plugin. To disable the plugin, apply the following global configuration to your settings.ini file:
[global]
no-core-plugins = true
load-plugin = defaults
load-plugin = wizard
load-plugin = wizard-cli
load-plugin = jython
load-plugin = cpython
Refer to the RiskScape documentation for more details on how to edit your settings.ini file.