Actively exploited critical vulnerability (CVE-2024-36401) impacting over 16k GeoServer Instances
17 Jul 2024
Attackers are actively exploiting a critical vulnerability in GeoServer instances, rated 9.8 (CVSS), labeled as CVE-2024-36401.
According to some experts, is being exploited since July 9th, 2024. CISA has warned all the federal agencies affected by the security flaw to immediately patch against the vulnerability with the latest versions – 2.23.6, 2.24.4, and 2.25.2 comprising the fix for the security flaw.
Currently, around 16462 GeoServer instances are being exposed to the vulnerabilities.
What is GeoServer?
GeoServer is a free and open-source Java-based server. It allows users to share their spatial information with the world with the help of web map services. It can create maps and users can export them in multiple formats. It assists people in sharing, processing, and modifying their geospatial data.
About the security vulnerability: what threat does it pose?
GeoServer knew about the vulnerability in the GeoTools Library on 30th June.
Because of the failure of the GeoTools library API to evaluate property/attributes, specifically one named XPath expressions, attackers can remotely execute an arbitrary code through a specially crafted input on the default GeoServer installation.
What makes it dangerous is that since the vulnerability is insecurely applied to a simple feature type and not a complex type, it impacts all the instances of GeoServer instances around the world. The countries with the most exposed instances include the United States, France, Romania, and Germany.
There is no Proof of Concept currently published for the said vulnerability, but it can be exploited through multiple kinds of requests making it highly dangerous. The following are the requests through which it can be exploited:
- WFS GetFeature
- WFS Get PropertyValue
- WMS GetMap
- WMS GetFeatureInfo
- WMS Execute
- WMS GetLegendGraphic
Due to the severity of the threat that the vulnerability poses, CISA has issued an advisory to all the federal agencies, asking them to patch against the vulnerability before August 5. However, private organizations are equally exposed to the risks associated with the vulnerability and are advised to review their systems and logs for any signs of compromise.
SharkStriker’s recommendations and actions
The following are some of the actions taken and recommendations by SharkStriker:
- Threat hunters from SharkStriker’s SOC team have scanned partners’ and customers’ environments based on the indicators of Compromise (IoC) available.
- All the users are advised to immediately patch any instances of GeoServer to the latest versions (2.23.6, 2.24.4 and 2.25.2)
- Customers and Partners can easily track their security posture through multiple dashboards with STRIEGO