Skip to content
New Report: Get your copy of The 2024 State of the Internet Report! | Download Today
Advisory

July 16, 2024 Advisory: Vulnerability in GeoServer GeoTools Mapping Toolkit Enables RCE [CVE-2024-36401]

  • Date Published: July 16th, 2024
  • CVE-ID and CVSS Score: CVE-2024-36401 (CVSS Score 9.8)
  • Issue Name and Description: OSGeo GeoServer GeoTools Eval Injection Vulnerability
  • Asset Description: GeoServer is an open source server that allows users to share and edit geospatial data. This vulnerability relates specifically to how property/attribute names are processed during an API call to the GeoTools library. Versions before 2.23.6, versions including 2.24.0 before 2.24.4, and versions 2.25.0 before 2.25.2 are vulnerable.
  • Vulnerability Impact: If successfully exploited, an attacker could:
    • Execute arbitrary code with root privileges
    • Install malware and create backdoors
    • Manipulate data and traverse other vulnerable systems
    • Bypass security mechanisms like firewalls and intrusion detection systems
    • Conduct significant data breaches, resulting in the leakage of sensitive information
  • Exploitation Details:
    • This vulnerability was added to CISA’s Known Exploited Vulnerabilities Catalog on July 15, 2024.
    • Vulnerable versions have multiple OGC request parameters that allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions.
    • No public PoC is provided but this vulnerability has been confirmed to be exploitable through WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute requests.
  • Patch Availability:
    • GeoServer has patched this vulnerability in versions 2.23.6, 2.24.4, and 2.25.2.
    • A workaround exists by removing the gt-complex-x.y.jar file from the GeoServer where x.y is the GeoTools version (e.g., gt-complex-31.1.jar if running GeoServer 2.25.1). This will remove the vulnerable code from GeoServer but may break some GeoServer functionality or prevent GeoServer from deploying if the gt-complex module is needed.
  • Detection with Censys: The following queries can be leveraged to identify all Censys-visible public-facing GeoServer instances. Note that this does not pinpoint all vulnerable versions, just instances that display their version.
    • Censys Search query: services.software: (vendor: “GeoServer” and product: “GeoServer”)
    • Censys ASM query: host.services.software: (vendor: “GeoServer” and product: “GeoServer” ) or (web_entity.instances.software.vendor: “GeoServer” and web_entity.instances.software.product: “GeoServer”)
    • Censys ASM Risk query: risks.name=”Vulnerable GeoServer [CVE-2024-36401]”
  • References:
Attack Surface Management Solutions
Learn more