Recently, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an important warning urging federal agencies to promptly patch a critical vulnerability, CVE-2024-36401, in GeoServer. This vulnerability has a CVSS score of 9.8, indicating its severe impact. Furthermore, there is evidence indicating active exploitation of this vulnerability
CVE-2024-36401 Vulnerability Details
CVE-2024-36401 is a serious security flaw stemming from insecure handling of attribute names in GeoServer. Specifically, the vulnerability involves insecure evaluation of attribute names as XPath expressions, allowing unauthenticated attackers to remotely execute code on default installations of GeoServer through carefully crafted inputs.
GeoServer is an open-source server used for sharing and editing geospatial data, relying on the GeoTools library API for geospatial data processing. However, GeoServer fails to securely evaluate these attribute names when passed to libraries that execute code via XPath expressions, affecting all instances of GeoServer.
Scope of Impact and Remediation
Maintainers note that because XPath evaluation was incorrectly applied to simple feature types instead of complex feature types, this vulnerability affects all GeoServer instances and can be exploited through various types of requests.
GeoServer has released updates (2.23.6, 2.24.4, and 2.25.2) to address this vulnerability. Additionally, GeoTools has also released updates to fix CVE-2024-36404, another remote code execution vulnerability related to XPath expression evaluation, also with a CVSS score of 9.8.
Users can mitigate the risk by removing the “gt-complex-xyjar” file (“x.y” representing the GeoTools version) from the server. While this removes vulnerable code, it may impact some GeoServer functionalities and should be done cautiously.
CISA’s Urgent Call
CISA has added CVE-2024-36401 to its Known Exploited Vulnerabilities (KEV) catalog and urges federal agencies to identify and patch instances of this vulnerability in their environments by August 5th. While Binding Operational Directive (BOD) 22-01 applies specifically to federal agencies, CISA strongly recommends all organizations review their KEV list and take necessary actions to protect their environments.
Why Immediate Action is Necessary?
While CISA hasn’t provided specific details on active exploitation, current evidence suggests the vulnerability is actively being exploited. Unpatched GeoServer instances face significant security risks, as attackers can exploit this vulnerability for remote code execution, potentially leading to data breaches, service interruptions, or worse consequences.
Conclusion
CVE-2024-36401, a critical vulnerability in GeoServer, underscores the importance of securing geospatial data. Timely software updates and patches are essential to mitigate security risks. CISA’s urgent call highlights the critical nature of the issue, urging all affected organizations to act swiftly to safeguard their systems and data.
