WARNING: GEOSERVER VULNERABILITY TARGETED BY THREAT ACTORS, PATCH IMMEDIATELY!

Reference:
Advisory #2024-218

Version:
1.0

Affected software:
GeoServer versions prior to 2.23.6, 2.24.4, and 2.25.2

Type:
Remote Code Execution (RCE)

CVE/CVSS:
CVE-2024-36401: CVSS 9.8(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Sources

Geoserver - https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv

Risks

A critical Remote Code Execution (RCE) vulnerability has been identified in GeoServer, an open-source server used for sharing, processing, and editing geospatial data. The vulnerability allows unauthenticated attackers to execute arbitrary code through crafted OGC requests, potentially leading to severe disruptions in system operations, including data breaches, service interruptions and complete takeovers of susceptible instances.

This vulnerability impacts the Confidentiality, Integrity, and Availability (CIA) of affected systems, as attackers could gain unauthorized access, modify data, or cause major system downtime. This vulnerability is confirmed to be exploited by threat actors according to several organisations. It is said to be exploited for installing backdoors associated with APT41, botnets, cryptominers, and C2 communication. Several proof-of-concept exploits are available.

Organizations relying on GeoServer for geospatial data management are urged to take immediate action to mitigate this vulnerability, as it poses significant risks to business continuity. Immediate patching or implementing available workarounds is strongly recommended to prevent exploitation. Failing to do so puts your entire IT infrastructure at risk.

Description

The vulnerability stems from the unsafe evaluation of property names as XPath expressions in the GeoTools library, which is called by GeoServer. GeoServer processes OGC requests and evaluates property/attribute names for feature types using the commons-jxpath library. Attackers can exploit this vulnerability by sending specially crafted requests that include malicious XPath expressions, resulting in arbitrary code execution.

This issue affects all GeoServer instances, including those with simple feature types, due to the improper application of XPath evaluations that were originally intended for more complex data schemas. OGC requests such as WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute can be used to exploit this vulnerability, even by unauthenticated users.

Attackers targeting this vulnerability can potentially compromise and take over an entire system, leading to unauthorized data access and/or major disruptions.

Recommended Actions

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable instances with the highest priority, after thorough testing.

Patches are available in GeoServer versions 2.23.6, 2.24.4, and 2.25.2. Users should update to these versions or later to mitigate the vulnerability. Given the critical nature of this vulnerability, updating should be treated as a high-priority task for all affected GeoServer installations.

For immediate mitigation, a workaround exists although bear in mind, that it is said to break some functionality and can prevent your instance from deploying.

Monitor/Detect

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://ccb.belgium.be/cert/report-incident

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References

Tenable - https://www.tenable.com/cve/CVE-2024-36401

Bleeping Computer - https://www.bleepingcomputer.com/news/security/cisa-warns-critical-geoserver-geotools-rce-flaw-is-exploited-in-attacks/

The Hacker News - https://thehackernews.com/2024/09/geoserver-vulnerability-targeted-by.html