The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert regarding a critical Remote Code Execution (RCE) vulnerability in GeoServer, identified as CVE-2024-36401.
This vulnerability is currently under active exploitation by malicious actors, posing significant risks to systems using the affected GeoServer versions.
GeoServer RCE Vulnerability
The vulnerability stems from the GeoTools library API, which GeoServer relies on to evaluate property and attribute names for feature types. This evaluation process unsafely passes these names to the commons-jxpath library, which can execute arbitrary code when parsing XPath expressions.
Are you from SOC/DFIR Teams? - Sign up for a free ANY.RUN account! to Analyse Advanced Malware Files
This flaw allows unauthenticated attackers to execute arbitrary code by sending specially crafted inputs to a default GeoServer installation.
The vulnerability affects the following versions of GeoServer and GeoTools:
- GeoServer: Versions prior to 2.23.6, 2.24.0 to 2.24.3, and 2.25.0 to 2.25.1.
- GeoTools: Versions prior to 29.6, 30.0 to 30.3, and 31.0 to 31.1.
The exploitation of this vulnerability can be achieved through multiple OGC request parameters, including WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic, and WPS Execute requests.
Successful exploitation allows attackers to execute arbitrary code on the affected systems, potentially leading to severe consequences such as data breaches and system compromise.
While no public proof of concept (PoC) has been released, security researchers have confirmed the exploitability of this vulnerability. Its CVSS score of 9.8 underscores its critical nature.
Mitigation and Workaround
CISA recommends the following mitigation steps to protect against this vulnerability:
- Update to Latest Versions: Users are strongly advised to upgrade to the latest versions of GeoServer and GeoTools, which contain patches addressing this vulnerability. The patched versions include GeoServer 2.23.6, 2.24.4, and 2.25.2, and GeoTools 29.6, 30.4, and 31.2.
- Apply Security Patches: For those unable to upgrade immediately, security patches are available for affected versions. These patches can be downloaded from the official GeoServer and GeoTools repositories and include updated
gt-app-schema,gt-complex, andgt-xsd-corejar files. - Temporary Workaround: As a temporary measure, users can remove the
gt-complex-x.y.jarfile from their GeoServer installation. This action will eliminate the vulnerable code but may disrupt some GeoServer functionalities, especially if extensionsinuse require themodule.
- For GeoServer WAR Deployments:
- Stop the application server.
- Unzip
geoserver.warinto a directory. - Remove the
WEB-INF/lib/gt-complex-x.y.jarfile. - Rezip the directory into a new
geoserver.war. - Restart the application server.
- For GeoServer Binary Deployments:
- Stop Jetty.
- Remove the
webapps/geoserver/WEB-INF/lib/gt-complex-x.y.jarfile. - Restart Jetty.
CISA emphasizes the urgency of addressing this vulnerability due to its active exploitation and the severe risk it poses to affected systems. Organizations using GeoServer are urged to take immediate action by applying the recommended updates or mitigation measures to safeguard their systems against potential attacks.
How to Check GeoServer Version
Identify the version of GeoServer you are running. This can typically be found in the GeoServer web interface under “About GeoServer” or by checking the geoserver.war file name if you have it deployed.
“Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!”- Free Demo