HQ/EMEAFind out how we can help your business
A major Geoserver GeoTools RCE flaw, CVE-2024-36401, is currently considered a significant threat as hackers can widely exploit it in the cybercriminal landscape. This entity that deals with a newly discovered remote code execution flaw is an open-source server that lets a user share, process, and change geographical data.
Moreover, the server admin revealed that the RCE has a severity rating of 9.8 and is triggered by incorrectly processing property names as XPath expressions.
Based on reports, the GeoTools library API that GeoServer uses evaluates feature type property/attribute names in an insecure method as it passes them to the commons-jxpath library, which can execute arbitrary code when evaluating XPath expressions.
This XPath evaluation is designed for sophisticated feature types only, but it is mistakenly applied to simple feature types also, resulting in this bug affecting ALL GeoServer instances.
While the vulnerability was not actively exploited today, researchers quickly provided a PoC that showed how to execute remote code on exposed servers, open reverse shells, generate outbound connections, and create a file in the /tmp subdirectory.
The issue has been addressed in the latest GeoServer versions; hence, researchers advise all users to upgrade to these releases. The admins also provide alternatives but warn users that they may disrupt some GeoServer functions.
The vulnerability within the GeoServer GeoTools has allegedly recorded its first exploit.
Earlier this week, CISA included the GeoServer GeoTools flaw in its Known Exploited Vulnerabilities Catalogue. Additionally, this government agency warns that the issue is being actively exploited in cyberattacks.
While CISA did not reveal any details on how to exploit the bug, a threat monitoring platform disclosed that CVE-2024-36401 has been extensively exploited since the beginning of this month.
Currently, approximately 16,462 confirmed GeoServer servers are exposed online, most based in the US, France, Germany, Romania, and mainland China. Researchers believe GeoServer should prioritise addressing this vulnerability to prevent potential assaults and exploits.
Therefore, users who have not yet patched the version with vulnerability should upgrade to the latest version and review their system and logs for potential exploits.
