Carding Forum
Professional
- Messages
- 2,788
- Reaction score
- 1,170
- Points
- 113
Will administrators have time to close the gap in GeoServer?
The CISA agency warns that a critical vulnerability in GeoServer GeoTools is actively used in attacks.
GeoServer is an open source server that allows users to share, process, and modify geospatial data. On June 30, GeoServer developers disclosed information about the critical RCE vulnerability CVE-2024-36401 (CVSS score: 9.8) in the GeoTools plugin. The problem is that property names are not safely evaluated as XPath expressions.
Project specialists explain that the GeoTools API library, which is called by GeoServer, evaluates the names of properties and attributes for object types so that they are not safely passed to the commons-jxpath library. This can lead to arbitrary code execution when evaluating XPath expressions. However, the vulnerability applies to all GeoServer instances.
At the time of detection, the bug was not actively used, but researchers quickly published proof of concept (PoC) [ 1, 2, 3 ] demonstrating how to execute remote code on vulnerable servers, open a Reverse Shell, establish outgoing connections, or create a file in the "/tmp " directory.
GeoServer developers promptly released fixes for versions 2.23.6, 2.24.4 and 2.25.2, and strongly recommend that all users update their systems. Experts also suggested workarounds for those who can't upgrade immediately, but warned that they may disrupt some GeoServer functions.
In addition, on July 16, CISA added the vulnerability CVE-2024-36401 to its KEV catalog with a note that the flaw is already being used in attacks. CISA requires federal agencies to install patches by August 5, 2024.
Although CISA did not provide information on how to exploit the vulnerability, the Shadowserver threat monitoring service reported that active use of CVE-2024-36401 began on July 9. According to OSINT ZoomEye, about 16,400 GeoServer servers are available online, most of which are located in the United States, China, Romania, Germany, and France.
While the agency's KEV catalog is primarily targeted at federal agencies, private organizations should also immediately install patches to protect their systems. Those who have not yet updated their servers should immediately upgrade to the latest version of GeoServer and thoroughly check their systems and logs for signs of compromise.
Source
The CISA agency warns that a critical vulnerability in GeoServer GeoTools is actively used in attacks.
GeoServer is an open source server that allows users to share, process, and modify geospatial data. On June 30, GeoServer developers disclosed information about the critical RCE vulnerability CVE-2024-36401 (CVSS score: 9.8) in the GeoTools plugin. The problem is that property names are not safely evaluated as XPath expressions.
Project specialists explain that the GeoTools API library, which is called by GeoServer, evaluates the names of properties and attributes for object types so that they are not safely passed to the commons-jxpath library. This can lead to arbitrary code execution when evaluating XPath expressions. However, the vulnerability applies to all GeoServer instances.
At the time of detection, the bug was not actively used, but researchers quickly published proof of concept (PoC) [ 1, 2, 3 ] demonstrating how to execute remote code on vulnerable servers, open a Reverse Shell, establish outgoing connections, or create a file in the "/tmp " directory.
GeoServer developers promptly released fixes for versions 2.23.6, 2.24.4 and 2.25.2, and strongly recommend that all users update their systems. Experts also suggested workarounds for those who can't upgrade immediately, but warned that they may disrupt some GeoServer functions.
In addition, on July 16, CISA added the vulnerability CVE-2024-36401 to its KEV catalog with a note that the flaw is already being used in attacks. CISA requires federal agencies to install patches by August 5, 2024.
Although CISA did not provide information on how to exploit the vulnerability, the Shadowserver threat monitoring service reported that active use of CVE-2024-36401 began on July 9. According to OSINT ZoomEye, about 16,400 GeoServer servers are available online, most of which are located in the United States, China, Romania, Germany, and France.
While the agency's KEV catalog is primarily targeted at federal agencies, private organizations should also immediately install patches to protect their systems. Those who have not yet updated their servers should immediately upgrade to the latest version of GeoServer and thoroughly check their systems and logs for signs of compromise.
Source
