The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical security flaw impacting OSGeo GeoServer GeoTools to its Known Exploited Vulnerabilities (KEV) catalog. This inclusion follows evidence of active exploitation in the wild, underscoring the urgency and severity of the issue.
Understanding GeoServer and Its Importance
GeoServer is a vital open-source software server, written in Java, that enables users to share and edit geospatial data. It serves as the reference implementation of the Open Geospatial Consortium (OGC) Web Feature Service (WFS) and Web Coverage Service (WCS) standards. Given its widespread use in various industries, any vulnerability within this system poses significant risks.
The Critical Flaw: CVE-2024-36401
The vulnerability, tracked as CVE-2024-36401 and carrying a CVSS score of 9.8, involves a case of remote code execution (RCE). This can be triggered by specially crafted input, making it an attractive target for malicious actors. According to an advisory released by the project maintainers, the flaw arises from the unsafe evaluation of property names as XPath expressions within multiple OGC request parameters. This allows unauthenticated users to execute remote code on a default GeoServer installation.
Advisory and Remediation
“Multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions,” states the advisory. The advisory was issued earlier this month and highlights the critical nature of the flaw.
The vulnerability has been addressed in the following GeoServer versions:
- 2.23.6
- 2.24.4
- 2.25.2
Security researcher Steve Ikeoka is credited with reporting the flaw. Despite the fix, details on the exact methods of exploitation in the wild remain unclear. However, GeoServer has confirmed that the issue can be exploited through WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic, and WPS Execute requests.
Additional Critical Vulnerability: CVE-2024-36404
In addition to CVE-2024-36401, another critical flaw (CVE-2024-36404) with an identical CVSS score of 9.8 was also patched. This vulnerability could result in RCE if an application uses certain GeoTools functionality to evaluate XPath expressions supplied by user input. The fix for this vulnerability has been implemented in GeoTools versions:
- 29.6
- 30.4
- 31.2
Federal Agencies Mandated to Apply Fixes
Due to the active exploitation of CVE-2024-36401, CISA has mandated that federal agencies apply the vendor-provided fixes by August 5, 2024. This directive highlights the critical nature of the vulnerability and the need for immediate action to secure affected systems.
Broader Implications in the Cybersecurity Landscape
The urgency of addressing these vulnerabilities in GeoServer is part of a broader trend of increased vigilance and rapid response within the cybersecurity community. Just recently, reports emerged about the active exploitation of another remote code execution vulnerability, this time in the Ghostscript document conversion toolkit (CVE-2024-29510). This flaw allows attackers to escape the -dSAFER sandbox and execute arbitrary code, posing significant risks to systems running the vulnerable software.
Ghostscript Vulnerability: CVE-2024-29510
The Ghostscript vulnerability, tracked as CVE-2024-29510, was responsibly disclosed by Codean Labs on March 14, 2024, and addressed in version 10.03.1. Despite the fix, the vulnerability has already been weaponized, enabling attackers to gain shell access to vulnerable systems, according to ReadMe developer Bill Mill.
Conclusion: The Ongoing Battle Against Cyber Threats
The recent addition of CVE-2024-36401 and CVE-2024-36404 to CISA’s KEV catalog, along with the exploitation of CVE-2024-29510, underscores the relentless nature of cyber threats and the importance of timely vulnerability management. Organizations using GeoServer and GeoTools must prioritize applying the latest patches to mitigate the risk of exploitation. Staying informed and proactive in addressing vulnerabilities is crucial in maintaining robust cybersecurity defenses.
Follow us on 
(Twitter) for real time updates and exclusive content.
Interesting Article : AT&T Data Breach Exposes Millions of Wireless Customers’ Call and Text Records
Pingback: BeaverTail Reborn: North Korean Hackers Target MacOS Users