6600+ Vulnerable GeoServer instances Exposed to the Internet


Security analysts have identified 6,635 GeoServer instances exposed to the Internet, which makes them vulnerable to critical remote code execution (RCE) attacks.

A recent tweet from the Shadowserver Foundation stated that the vulnerability, tracked as CVE-2024-36401, affects GeoServer versions before 2.23.6, 2.24.4, and 2.25.2.

EHA

GeoServer, an open-source server enabling users to share and edit geospatial data, is widely used in various industries, including urban planning, environmental monitoring, and resource management.

The identified vulnerability stems from multiple OGC request parameters that allow unauthenticated users to execute arbitrary code through specially crafted inputs.

This is due to the unsafe evaluation of property names as XPath expressions within the GeoTools library API, which GeoServer calls upon.

Join our free webinar to learn about combating slow DDoS attacks, a major threat today.

CVE-2024-36401 – Vulnerable GeoServer Instances

The vulnerability is particularly concerning because it applies to all GeoServer instances, not just those using complex feature types.

The exploitation can occur through several request types, including WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic, and WPS Execute requests.

Security experts have confirmed the exploitability of this vulnerability, although no public proof-of-concept (PoC) has been released.

The potential impact of this vulnerability includes unauthorized access and control over the affected GeoServer instances, posing significant risks to data integrity and security.

GeoServer users are strongly advised to upgrade to versions 2.23.6, 2.24.4, or 2.25.2, which contain patches addressing this critical issue.

As an interim measure, users can remove the gt-complex-x.y.jar file from their GeoServer installations, where x.y corresponds to the GeoTools version (e.g., gt-complex-31.1.jar for GeoServer 2.25.1).

However, this workaround may disrupt some functionalities or prevent deployment if the gt-complex module is essential.

The discovery of these vulnerable instances underscores the importance of regular software updates and vigilant security practices to protect against emerging threats.

GeoServer users must act swiftly to mitigate the risks associated with CVE-2024-36401 and safeguard their geospatial data.

Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo



Source link