The US cybersecurity agency CISA is urging federal agencies to patch a critical-severity vulnerability in GeoServer as soon as possible, warning of evidence of active exploitation.
The bug, tracked as CVE-2024-36401 (CVSS score of 9.8), is described as the unsafe evaluation of property names as XPath expressions, which could allow unauthenticated attackers to execute code remotely, through crafted input against a default GeoServer installation.
GeoServer, an open source server for sharing and editing geospatial data, calls a GeoTools library API that fails to safely evaluate property/attribute names for feature types when passing them to a library that can execute code when evaluating XPath expressions.
Because the XPath evaluation is incorrectly applied to simple feature types instead of being exclusive to complex feature types, the vulnerability affects all GeoServer instances, the software’s maintainers explain. The security defect can be exploited through various types of requests.
The remote code execution flaw was addressed with the release of GeoServer versions 2.23.6, 2.24.4, and 2.25.2. GeoTools updates were also released to patch CVE-2024-36404 (CVSS score of 9.8), a remote code execution bug rooted in the evaluation of XPath expressions supplied by user input.
As a workaround, users can remove the ‘gt-complex-x.y.jar’ file from the server (‘x.y’ represents the GeoTools version), which will remove the vulnerable code, but may break some GeoServer functionality.
On Monday, CISA added CVE-2024-36401 to its Known Exploited Vulnerabilities (KEV) catalog, without providing specific details on the observed in-the-wild exploitation.
Per Binding Operational Directive (BOD) 22-01, federal agencies have until August 5 to identify vulnerable GeoServer instances within their environments and apply the available patches.
While BOD 22-01 only applies to federal agencies, organizations of all types are advised to review CISA’s KEV list and take the necessary steps to secure their environments by applying available fixes or mitigations for the identified security defects.
There have been no reports of this flaw being exploited before CISA’s warning. However, CVE-2024-36401 is the second GeoServer vulnerability that CISA has added to the KEV catalog over the past three weeks.
Related: CISA Warns of Exploited GeoServer, Linux Kernel, and Roundcube Vulnerabilities
Related: Year-Old Veeam Vulnerability Exploited in Fresh Ransomware Attacks
Related: Windows Event Log Vulnerabilities Could Be Exploited to Blind Security Products
