The Cybersecurity & infrastructure Security Agency (CISA) has added a GeoServer vulnerability to its catalog of Known Exploited Vulnerabilities. This means that Federal Civilian Executive Branch (FCEB) agencies need to remediate this vulnerability by August 5, 2024 to protect their networks against active threats.

GeoServer is an open-source server that allows users to share and edit geospatial data. Some government agencies use GeoServer for managing and sharing spatial data related to urban planning, environmental monitoring, public works, and emergency response.

Affected versions concern packages org.geoserver.web:gs-web-app, org.geoserver:gs-wfs, and org.geoserver:gs-wms. The affected versions for all these packages are >= 2.24.0, < 2.24.4, >= 2.25.0, < 2.25.2, and  < 2.23.6. The patched versions are 2.24.4, 2.25.2, and 2.23.6 respectively. These patches were made available two weeks ago.

The GeoTools library API that GeoServer calls evaluates property/attribute names for feature types in a way that unsafely passes them to the commons-jxpath library which can execute arbitrary code when evaluating XPath expressions. This XPath evaluation is intended to be used only by complex feature types (i.e., Application Schema data stores) but is incorrectly being applied to simple feature types as well which makes this vulnerability apply to all GeoServer instances.

This vulnerability has been confirmed to be exploitable through WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute requests.

A workaround against this vulnerability can be achieved by removing the `gt-complex-x.y.jar` file from the GeoServer where `x.y` is the GeoTools version (e.g., `gt-complex-31.1.jar` if running GeoServer 2.25.1). This will remove the vulnerable code from GeoServer but may break some GeoServer functionality or prevent GeoServer from deploying if the gt-complex module is needed. More details about the workaround can be found on the GeoServer Github.

Due to the flaw, listed as CVE-2024-36401 multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions.

OGC stands for the Open Geospatial Consortium. The Open Geospatial Consortium is an international organization that develops and publishes standards for geospatial and location-based services. GeoServer supports a range of standards set by the Open Geospatial Consortium (OGC), such as Web Map Service (WMS), Web Feature Service (WFS), and Web Coverage Service (WCS).

XPath, which stands for XML Path Language, is a query language used for selecting nodes from an XML document. It allows you to navigate through elements and attributes in XML documents and retrieve specific data.

---

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in check by using ThreatDown’s Vulnerability Assessment and Patch Management solutions.