CVE-2024-36401 (CVSS 9.8): Urgent Patch Needed for GeoServer RCE Vulnerability

CVE-2024-36401

A severe security flaw, CVE-2024-36401 (CVSS 9.8), has been discovered in GeoServer, a widely-used open-source software platform for managing and sharing geospatial data. This vulnerability could potentially allow attackers to execute arbitrary code on affected servers, putting sensitive mapping and location data at risk.

CVE-2024-36401

The vulnerability stems from the unsafe evaluation of property name expressions within the GeoTools library API. Specifically, the issue arises when multiple OGC request parameters are processed, allowing unauthenticated users to inject specially crafted inputs. These inputs exploit the XPath expressions used to evaluate property/attribute names for feature types, leading to the execution of arbitrary code.

The root cause of this vulnerability lies in the GeoTools library API, which GeoServer calls to evaluate property names. These property names are passed to the commons-jxpath library, which can execute arbitrary code when evaluating XPath expressions. This functionality, intended for complex feature types (such as Application Schema data stores), is incorrectly applied to simple feature types as well, broadening the vulnerability to all GeoServer instances.

GeoServer users are urged to take immediate action to mitigate the risks associated with CVE-2024-36401. The following steps can be taken to secure affected systems:

Workaround

Users can temporarily mitigate the vulnerability by removing the gt-complex-x.y.jar file from their GeoServer installation. This will eliminate the vulnerable code but may disrupt certain functionalities dependent on the gt-complex module. The workaround steps are as follows:

For GeoServer .war deployment:

  1. Stop the application server.
  2. Unzip geoserver.war into a directory.
  3. Locate and remove WEB-INF/lib/gt-complex-x.y.jar.
  4. Rezip the directory into a new geoserver.war.
  5. Restart the application server.

For GeoServer binary:

  1. Stop Jetty.
  2. Locate and remove webapps/geoserver/WEB-INF/lib/gt-complex-x.y.jar.
  3. Restart Jetty.

Permanent Fix

The vulnerability has been patched in GeoServer versions 2.24.4, 2.25.2, and 2.23.6. Users are strongly encouraged to update to these versions to secure their systems against this flaw. For users unable to update immediately, patched jars (gt-app-schema, gt-complex, and gt-xsd-core) are available for prior releases and can be applied following similar steps to the workaround.