- The 70+ best Black Friday TV deals 2024: Save up to $2,000
- This AI image generator that went viral for its realistic images gets a major upgrade
- One of the best cheap Android phones I've tested is not a Motorola or Samsung
- The best VPN services for iPhone: Expert tested and reviewed
- Docker Desktop 4.36 | Docker
CISA: Patch Critical GeoServer GeoTools Bug Now
The US Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal government agencies to patch a critical vulnerability in a popular open source server that’s being actively exploited in the wild.
CISA added CVE-2024-36401 to its Known Exploited Vulnerabilities (KEV) catalog earlier this week, ordering agencies to patch by August 5.
The remote code execution (RCE) vulnerability is found in the GeoTools plugin of GeoServer, an open source server written in Java that allows users to share, process and edit geospatial data.
“OSGeo GeoServer GeoTools contains an improper neutralization of directives in dynamically evaluated code vulnerability due to unsafely evaluating property names as XPath expressions,” CISA said. “This allows unauthenticated attackers to conduct remote code execution via specially crafted input.”
Read more on open source vulnerabilities: Apache Warns of Critical Vulnerability in Struts 2
While it’s unclear who is exploiting the vulnerability and how, GeoServer maintainers patched it in versions 2.23.6, 2.24.4 and 2.25.2, which users are urged to upgrade to.
They also offered workarounds to remove the vulnerable code from GeoServer but warned that they “may break some GeoServer functionality or prevent GeoServer from deploying if the gt-complex module is needed by an extension you are using.”
At the time, the maintainers claimed: “No public PoC is provided but this vulnerability has been confirmed to be exploitable through WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute requests.”
However, proof-of-concept code soon began circulating online, around a fortnight ago.
Non-profit the Shadowserver Foundation claimed in a social media post to have first observed signs of exploitation of CVE-2024-36401 back on July 9. It urged users to “check for signs of compromise and patch.”
CISA added GeoServer CVE-2024-36401 to its Known Exploited Vulnerability Catalog https://t.co/0jvga7TBFr
We first observed CVE-2024-36401 “POST /geoserver/wfs” exploitation July 9th in our sensors. Check for signs of compromise & patch https://t.co/CTcIZzwtsI
— The Shadowserver Foundation (@Shadowserver) July 16, 2024
While all civilian federal government agencies must follow the CISA KEV catalog deadline, it is recommended best practice that private enterprises follow suit.
