GeoServer is vulnerable to an attack that allows an attacker to execute malicious Java code by simply setting up a data source. This is because the GeoServer security mechanism allows unvalidated JNDI lookups to be performed, which in turn can be used to perform class deserialization and result in arbitrary code execution. GeoServer also has a disk quota mechanism that is accessible via JNDI. A malicious user can set up a data source, configure it to store arbitrary data, and then set the disk quota to unlimited. The result of this is that the server will use up all memory, and then start writing data to the disk, resulting in a denial of service. The same can happen when using the GeoServer REST API to configure the disk quota.

Summary of vulnerabilities

A data source can be used to store arbitrary Java code, which in turn can be executed. This is because the GeoServer security mechanism allows unvalidated JNDI lookups to be performed, which in turn can be used to perform class deserialization and result in arbitrary code execution.

Overview

GeoServer is a Java-based server that allows users to configure and manage geospatial data. It supports formats such as KML, CSV, XML, and GML. GeoServer has a REST API that can be used to do things such as request the contents of a file and set up data sources. This REST API uses JNDI (Java Naming and Directory Interface) lookups to create resources and perform operations on them. The JNDI lookup mechanism in GeoServer is not secure because it does not require any kind of session tokens or other security mechanisms for resource creation.
The vulnerability can be exploited by setting up a data source with malicious content, then using the REST API to configure the disk quota for this data source. So long as the disk quota is configured to unlimited, the server will use up all memory and start writing all of its output to disk. The JNDI lookup mechanism also allows incoming connections from any IP address without authentication.

The Attack

The attack is a denial of service.

Affected Version:

CVE-2022-24847 is found in GeoServer 0.9.10 and all earlier versions of the software.

Timeline

Published on: 04/13/2022 22:15:00 UTC
Last modified on: 04/21/2022 18:23:00 UTC

References