External risk intelligence

GeoServer Remote Code Execution Vulnerability

CVE advisoryKnown Exploit

CVE-2024-36401

A vulnerability in GeoServer allows unauthenticated attackers to execute arbitrary code. This impacts organizations using GeoServer for geospatial data sharing, posing a business risk through potential system compromise.

5Halo Surface Signal

Code Injection

Geoserver

before 2.22.62.23.0 to before 2.23.62.24.0 to before 2.24.42.25.0 to before 2.25.2before 29.630.1 to before 30.431.1 to before 31.230.031.0

External exposure likelihood

Halo Surface Signal score for CVE-2024-36401

GeoServer is designed to share and edit geospatial data via public-facing web service endpoints, including WFS and WMS. These interfaces are typically deployed as internet-accessible services to provide map data and spatial analysis to public or distributed clients, making the vulnerable functionality reachable by design in standard configurations.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

GeoServer, a platform for sharing and editing geospatial data, has a vulnerability that allows for remote code execution. This flaw is present in versions prior to specific updates and affects all GeoServer instances. The issue arises from how GeoServer processes certain input parameters, which can be exploited by specially crafted requests. Exploitation could lead to unauthorized execution of code on the affected systems.

  • GeoServer and GeoTools components
  • Unsafe evaluation of input as code
  • Remote code execution on systems

Attack Path

How an attacker could exploit the issue

This vulnerability allows unauthenticated attackers to execute arbitrary code on GeoServer instances. The attack exploits a flaw in how GeoServer's underlying GeoTools library processes specific OGC request parameters. By sending specially crafted input, an attacker can trigger the unsafe evaluation of property names as XPath expressions, leading to remote code execution. This impacts organizations using GeoServer for geospatial data sharing and editing.

  • Unauthenticated network access to GeoServer.
  • Specially crafted OGC requests trigger XPath evaluation.
  • Attacker achieves remote code execution.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability in GeoServer allows for remote code execution by unauthenticated users. Attackers can exploit this by sending specially crafted input through various GeoServer requests. Successful exploitation could lead to unauthorized code execution on the affected server, posing a significant business risk. Organizations should treat this vulnerability with a high degree of urgency.

  • Likely attacker skill level: Low
  • Required access or conditions: Network access
  • Business risk or urgency: High

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability in GeoServer could allow unauthenticated attackers to execute arbitrary code by sending specially crafted input to the server. This could lead to a compromise of affected systems and potential business risk. The identified vulnerability affects all GeoServer installations due to how it processes OGC request parameters.

  • Identify GeoServer assets.
  • Reduce exposure or isolate risk.
  • Apply vendor fix, verify, monitor.

Frequently asked questions

What is GeoServer and its primary function?

GeoServer is an open-source server application designed for sharing and editing geospatial data. It enables users to publish maps and spatial information over the internet, making it a crucial component for Geographic Information Systems (GIS).

How does CVE-2024-36401 enable code execution?

CVE-2024-36401 is an 'Eval Injection' vulnerability (CWE-94, CWE-95). GeoServer, via its GeoTools library, unsafely evaluates property names as XPath expressions when processing certain OGC requests. This allows specially crafted input to be interpreted and executed as code.

What is the vulnerability's trigger path and scope?

The vulnerability is triggered by unauthenticated users sending specially crafted input through various OGC requests, including WFS GetFeature, WMS GetMap, and WPS Execute. The XPath evaluation, intended for complex features, is incorrectly applied to simple features, affecting all GeoServer instances.

What is the relevance of CVE-2024-36401?

This vulnerability allows unauthenticated attackers to execute arbitrary code remotely on GeoServer instances. Exploitation can lead to a compromise of affected systems, posing a significant business risk and requiring urgent attention.

What are the recommended actions for CVE-2024-36401?

Update GeoServer to versions 2.22.6, 2.23.6, 2.24.4, or 2.25.2. A workaround involves removing the `gt-complex-x.y.jar` file, but this may impact functionality. Identify GeoServer assets, reduce exposure, and apply vendor fixes.

References

Cyber Threat Intelligence (CTI)

Sources: malpedia, threatActor

Sources and related resources

Primary sources: NVD, CVE.org, CISA KEV.

NVDPublished Modified