PT-2025-43739 · Maven · Org.Opensearch.Dataprepper.Plugins:Geoip-Processor
Published
2025-10-15
·
Updated
2025-10-15
CVSS v3.1
5.9
Medium
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N |
Impact
The GeoIP processor in Data Prepper was configured to trust all SSL certificates and disable hostname verification when downloading GeoIP databases from HTTP URLs, making downloads vulnerable to man-in-the-middle attacks.
The GeoIP processor included a custom SSL implementation that completely bypassed certificate validation when downloading GeoIP databases from external sources. The
initiateSSL() method incorrectly implemented an approach for trusting all certificates. Specifically it:- Accepted all SSL certificates without validation
- Disabled server certificate verification
- Disabled client certificate verification
- Disabled hostname verification
This configuration made database downloads vulnerable to man-in-the-middle attacks, potentially allowing attackers to serve malicious GeoIP databases that could compromise the integrity of geolocation data processing.
Patches
Data Prepper 2.12.2 contains a fix for this issue.
Workarounds
If upgrading is not immediately possible:
- Use local GeoIP database files instead of downloading from HTTP URLs
- Ensure database downloads occur only over trusted networks
Fix
Improper Certificate Validation
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Org.Opensearch.Dataprepper.Plugins:Geoip-Processor