The US Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal government agencies to patch a critical vulnerability in a popular open source server that’s being actively exploited in the wild.
CISA added CVE-2024-36401 to its Known Exploited Vulnerabilities (KEV) catalog earlier this week, ordering agencies to patch by August 5.
The remote code execution (RCE) vulnerability is found in the GeoTools plugin of GeoServer, an open source server written in Java that allows users to share, process and edit geospatial data.
“OSGeo GeoServer GeoTools contains an improper neutralization of directives in dynamically evaluated code vulnerability due to unsafely evaluating property names as XPath expressions,” CISA said. “This allows unauthenticated attackers to conduct remote code execution via specially crafted input.”
Read more on open source vulnerabilities: Apache Warns of Critical Vulnerability in Struts 2
While it’s unclear who is exploiting the vulnerability and how, GeoServer maintainers patched it in versions 2.23.6, 2.24.4 and 2.25.2, which users are urged to upgrade to.
They also offered workarounds to remove the vulnerable code from GeoServer but warned that they “may break some GeoServer functionality or prevent GeoServer from deploying if the gt-complex module is needed by an extension you are using.”
At the time, the maintainers claimed: “No public PoC is provided but this vulnerability has been confirmed to be exploitable through WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute requests.”
However, proof-of-concept code soon began circulating online, around a fortnight ago.
Non-profit the Shadowserver Foundation claimed in a social media post to have first observed signs of exploitation of CVE-2024-36401 back on July 9. It urged users to “check for signs of compromise and patch.”
CISA added GeoServer CVE-2024-36401 to its Known Exploited Vulnerability Catalog https://t.co/0jvga7TBFr
— The Shadowserver Foundation (@Shadowserver) July 16, 2024
We first observed CVE-2024-36401 "POST /geoserver/wfs" exploitation July 9th in our sensors. Check for signs of compromise & patch https://t.co/CTcIZzwtsI
While all civilian federal government agencies must follow the CISA KEV catalog deadline, it is recommended best practice that private enterprises follow suit.