Critical GeoServer Flaw CVE-2024-36401 Actively Exploited in Attacks
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about an actively exploited remote code execution (RCE) vulnerability in GeoServer, an open-source server for geospatial data. The flaw, tracked as CVE-2024-36401, has been given a severity rating of 9.8.
Details of the Vulnerability
GeoServer disclosed the critical RCE vulnerability on June 30, 2024. The issue stems from the GeoTools plugin, which unsafely evaluates property names as XPath expressions, leading to the potential for arbitrary code execution. Specifically, the GeoTools library API evaluates property/attribute names in a manner that can be exploited via the commons-jxpath library.
Impact and Exploitation
Although initially not exploited, researchers quickly released proof-of-concept exploits demonstrating the flaw’s potential. These exploits could enable remote code execution on exposed servers, allow for reverse shell openings, make outbound connections, or create files in the /tmp folder.
GeoServer maintainers promptly patched the flaw in versions 2.23.6, 2.24.4, and 2.25.2, and recommended that all users upgrade to these releases. They also provided workarounds, though with potential functionality trade-offs.
See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses
Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.
CISA’s Warning and Observations
On July 9, 2024, threat monitoring service Shadowserver reported active exploitation of CVE-2024-36401. Following this, CISA added the flaw to its Known Exploited Vulnerabilities Catalog, requiring federal agencies to patch the servers by August 5, 2024.
Open-source intelligence (OSINT) from ZoomEye identified approximately 16,462 exposed GeoServer servers, predominantly in the U.S., China, Romania, Germany, and France.
Trending: Offensive Security Tool: DDoSlayer
Recommendations
While CISA’s directives primarily target federal agencies, private organizations using GeoServer should also prioritize patching this vulnerability. Immediate action includes:
- Upgrading GeoServer: Update to the latest versions (2.23.6, 2.24.4, or 2.25.2).
- Implementing Workarounds: Apply recommended workarounds if upgrading is not immediately possible, but be aware of potential impacts on functionality.
- Monitoring Systems: Thoroughly review systems and logs for signs of compromise.
Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]
Source: bleepingcomputer.com
Recent News
Offensive Security & Ethical Hacking Course
Begin the learning curve of hacking now!
Information Security Solutions
Find out how Pentesting Services can help you.
