Impact
Programs using jt-jiffle, and allowing Jiffle script to be provided via network request, are susceptible to a Remote Code Execution as the Jiffle script is compiled into Java code via Janino, and executed. In particular, this affects the downstream GeoServer project.
Patches
Version 1.2.22 will contain a patch that disables the ability to inject malicious code into the resulting script.
Workarounds
Negate the ability to compile Jiffle scripts from the final application, by removing janino-x.y.z.jar from the classpath.
References
None.
Impact
Programs using jt-jiffle, and allowing Jiffle script to be provided via network request, are susceptible to a Remote Code Execution as the Jiffle script is compiled into Java code via Janino, and executed. In particular, this affects the downstream GeoServer project.
Patches
Version 1.2.22 will contain a patch that disables the ability to inject malicious code into the resulting script.
Workarounds
Negate the ability to compile Jiffle scripts from the final application, by removing janino-x.y.z.jar from the classpath.
References
None.