DIVD-2024-00032 - Unauthenticated Remote Code Execution (RCE) vulnerability in Geoserver

Our reference	DIVD-2024-00032
Case lead	Alwin Warringa
Author	Koen Schagen
Researcher(s)	Alwin Warringa Koen Schagen Stan Plasmeijer
CVE(s)	CVE-2024-36401 CVE-2024-36404
Products	GeoServer GeoTools
Versions	GeoServer version 2.24.0 or later, but earlier than version 2.24.4. GeoServer version 2.25.0 or later, but earlier than version 2.25.2. GeoServer below version 2.23.6 GeoTools below version 29.6 GeoTools version 30.0 or later, but earlier than version 30.4. GeoTools version 31.0 or later, but earlier than version 31.2.
Recommendation	Check for the patched versions and get those installed
Patch status	Released
Workaround	Yes
Status	Closed
Last modified	16 Sep 2024 19:41 CEST

Summary

GeoServer and GeoTools have issued a security announcement and fixed an XPath expression injection vulnerability. This vulnerability results in unauthenticated Remote Code Execution (RCE), allowing an attacker to gain full access to the system without authentication.

Recommendations

GeoServer released several patched versions (2.24.4, 2.25.2 and 2.23.6). Please update to one of those versions (or better) as soon as possible.

GeoTools released several patched versions (29.6, 30.4 and 31.2). Please update to one of those versions (or better) as soon as possible.

Mitigation

If relevant users cannot install updates temporarily, the following measures can be taken for temporary relief: Deleting the gt-complex-x.y.jar file in GeoServer (x.y is the version of GeoTools, such as gt-complex-31.1.jar in GeoServer 2.25.1) will remove vulnerable code from GeoServer, but may compromise some GeoServer functionality. When a gt-complex module is required by an extension in use, it may cause the GeoServer deployment to fail.

What we are doing

DIVD is currently working to identify parties that are running a vulnerable version of Geoserver and to notify these parties. We do this by verifying the presence of the vulnerability in a harmless manner and collect the software version number if possible.

Timeline

Date	Description
03 Jul 2024	DIVD starts researching the vulnerability.
03 Jul 2024	DIVD finds fingerprint, preparing to scan.
04 Jul 2024	DIVD starts scanning the internet for vulnerable instances.
05 Jul 2024	DIVD starts notifying network owners with a vulnerable instance in their network.
14 Sep 2024	DIVD sent out a second round of notifications.
14 Sep 2024	Case closed.

gantt title DIVD-2024-00032 - Unauthenticated Remote Code Execution (RCE) vulnerability in Geoserver dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2024-00032 - Unauthenticated Remote Code Execution (RCE) vulnerability in Geoserver (73 days) :2024-07-03, 2024-09-14 section Events DIVD starts researching the vulnerability. : milestone, 2024-07-03, 0d DIVD finds fingerprint, preparing to scan. : milestone, 2024-07-03, 0d DIVD starts scanning the internet for vulnerable instances. : milestone, 2024-07-04, 0d DIVD starts notifying network owners with a vulnerable instance in their network. : milestone, 2024-07-05, 0d DIVD sent out a second round of notifications. : milestone, 2024-09-14, 0d Case closed. : milestone, 2024-09-14, 0d

DIVD CSIRT