[SECURITY] Upgrade GeoTools 24.6 to 28.x+ (12+ Critical CVEs)

[montge]

Security Request: GeoTools Major Version Upgrade

Priority: CRITICAL
CVSS: 9.0+ (Multiple vulnerabilities)
Affected: All geospatial functionality in DDF

---

Problem

GeoTools 24.6 contains 12+ CRITICAL CVEs including XXE and XPath RCE vulnerabilities.

Current Version: 24.6
Recommended Version: 28.6.1+ or 31.6+
Impact: Remote Code Execution, XXE attacks

---

Known Vulnerabilities

CVE	CVSS	Description
CVE-2022-24816	9.8	XXE vulnerability
CVE-2022-24845	9.8	XPath injection RCE
CVE-2022-24818	9.8	SSRF vulnerability
Multiple others	7.5-9.8	Various injection attacks

---

DDF Impact

Affected Modules:

• libs/geospatial/ - Core geo library
• catalog/spatial/ - All spatial plugins
• catalog/solr/ - Spatial indexing
• Any module using WKT, GML, or spatial queries

Dependencies:

org.geotools:gt-main:24.6
org.geotools:gt-opengis:24.6
org.geotools:gt-referencing:24.6
org.geotools:gt-xml:24.6
org.geotools:gt-shapefile:24.6

---

Upgrade Path

Option A: GeoTools 28.6.1 (RECOMMENDED)

• LTS branch with security patches
• Moderate API changes from 24.x
• Java 11+ compatible
• Well-tested upgrade path

Option B: GeoTools 31.6

• Latest stable release
• Larger API changes
• More features
• Higher risk

---

Migration Effort

Estimated: 40-80 hours

Required Changes:

1. Update dependency versions in ddf-parent POM
2. Update CRS/coordinate system handling (API changes)
3. Update filter encoding (GeoTools filter factory changes)
4. Update WKT/GML parsing
5. Extensive testing of spatial queries

Breaking Changes Expected:

• Coordinate reference system factory methods
• Filter factory API
• Some deprecated methods removed

---

Testing Required

• Spatial query functionality
• WKT parsing and indexing
• Coordinate transformation
• CSW/WFS/WMS protocols
• Solr spatial indexing
• Performance benchmarks

---

Interim Mitigations

While upgrading:

1. Input validation on all WKT/GML inputs
2. Disable external entity processing in XML parsers
3. Network-level restrictions on outbound connections
4. Monitor for XXE attack patterns

---

References

• GeoTools Security: https://geotools.org/security.html
• CVE Database: https://nvd.nist.gov/
• GeoTools 28.x Release Notes: https://docs.geotools.org/latest/release/

[montge]

GeoTools is currently at version 24.7. The upgrade from 24.6 to 24.7 was completed in commit eccb601. A larger jump to 28.x+ would require significant API changes and testing. Keeping this issue open for tracking the major version upgrade path.