CVE-2024-36401

Name of the Vulnerable Software and Affected Versions GeoServer versions prior to 2.22.6, 2.23.6, 2.24.4, and 2.25.2 GeoTools versions prior to 29.6, 30.4, and 31.2

Description GeoServer, an open-source server used for sharing and editing geospatial data, contains a Remote Code Execution (RCE) vulnerability. This flaw is due to unsafe evaluation of property names as XPath expressions, allowing unauthenticated users to execute arbitrary code through specially crafted input. The vulnerability exists because the GeoTools library API used by GeoServer improperly handles property/attribute names for feature types, passing them unsafely to the commons-jxpath library, which can execute arbitrary code when evaluating XPath expressions. This issue affects all GeoServer instances. Multiple threat actors are actively exploiting this vulnerability to deploy malware, including crypto miners, botnets, and backdoors. Recent campaigns involve the use of spear-phishing techniques and the exploitation of the vulnerability to monetize victims' bandwidth. The Earth Baxia APT group has been observed targeting government and energy sectors in the APAC region using this vulnerability. The vulnerability has been exploited in attacks against a U.S. federal agency, resulting in lateral movement and the deployment of web shells.

Recommendations GeoServer versions prior to 2.22.6: Update to version 2.22.6 or later. GeoServer versions prior to 2.23.6: Update to version 2.23.6 or later. GeoServer versions prior to 2.24.4: Update to version 2.24.4 or later. GeoServer versions prior to 2.25.2: Update to version 2.25.2 or later. GeoTools versions prior to 29.6: Update to version 29.6 or later. GeoTools versions prior to 30.4: Update to version 30.4 or later. GeoTools versions prior to 31.2: Update to version 31.2 or later.