Skip to the content.

DIVD-2024-00032 - Unauthenticated Remote Code Execution (RCE) vulnerability in Geoserver

Our reference DIVD-2024-00032
Case lead Alwin Warringa
Author Koen Schagen
Researcher(s)
CVE(s)
Products
  • GeoServer
  • GeoTools
Versions
  • GeoServer version 2.24.0 or later, but earlier than version 2.24.4.
  • GeoServer version 2.25.0 or later, but earlier than version 2.25.2.
  • GeoServer below version 2.23.6
  • GeoTools below version 29.6
  • GeoTools version 30.0 or later, but earlier than version 30.4.
  • GeoTools version 31.0 or later, but earlier than version 31.2.
Recommendation Check for the patched versions and get those installed
Patch status Released
Workaround Yes
Status Open
Last modified 05 Jul 2024 16:34

Summary

GeoServer and GeoTools have issued a security announcement and fixed an XPath expression injection vulnerability. This vulnerability results in unauthenticated Remote Code Execution (RCE), allowing an attacker to gain full access to the system without authentication.

Recommendations

GeoServer released serveral patched versions (2.24.4, 2.25.2 and 2.23.6). Please update to one of those versions (or better) as soon as possible.

GeoTools released serveral patched versions (29.6, 30.4 and 31.2). Please update to one of those versions (or better) as soon as possible.

Mitigation

If relevant users cannot install updates temporarily, the following measures can be taken for temporary relief: Deleting the gt-complex-x.y.jar file in GeoServer (x.y is the version of GeoTools, such as gt-complex-31.1.jar in GeoServer 2.25.1) will remove vulnerable code from GeoServer, but may compromise some GeoServer functionality. When a gt-complex module is required by an extension in use, it may cause the GeoServer deployment to fail.

What we are doing

DIVD is currently working to identify parties that are running a vulnerable version of Geoserver and to notify these parties. We do this by verifying the presence of the vulnerability in a harmless manner and collect the software version number if possible.

Timeline

Date Description
03 Jul 2024 DIVD starts researching the vulnerability.
03 Jul 2024 DIVD finds fingerprint, preparing to scan.
04 Jul 2024 DIVD starts scanning the internet for vulnerable instances.
05 Jul 2024 DIVD starts notifying network owners with a vulnerable instance in their network.
gantt title DIVD-2024-00032 - Unauthenticated Remote Code Execution (RCE) vulnerability in Geoserver dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2024-00032 - Unauthenticated Remote Code Execution (RCE) vulnerability in Geoserver (still open) :2024-07-03, 2024-07-20 section Events DIVD starts researching the vulnerability. : milestone, 2024-07-03, 0d DIVD finds fingerprint, preparing to scan. : milestone, 2024-07-03, 0d DIVD starts scanning the internet for vulnerable instances. : milestone, 2024-07-04, 0d DIVD starts notifying network owners with a vulnerable instance in their network. : milestone, 2024-07-05, 0d

More information