Select Page

Sep 18, 2024

Breaking the Mold: Halting a Hacker’s Code ep.23 – GeoServer JXpath Remote Code Execution Vulnerability

by

GeoServer is an open-source geospatial data server used for sharing, processing, and editing GIS data. It provides a flexible platform for developing geospatial services and applications. Recently, a severe vulnerability in GeoServer JXPath was discovered, which allows attackers to fully control the affected server, gaining access to and stealing sensitive data stored on the server.

Vulnerability

The CVE-2024-36401 GeoServer JXPath Remote Code Execution (RCE) vulnerability allows attackers to execute arbitrary code on the server by crafting malicious XPath expressions. These expressions, without proper filtering, are passed to GeoServer’s internal JXPath parser, which can invoke Java methods supported by JXPath, such as creating files, reading files, or executing system commands. Once initial access is gained, attackers may attempt lateral movement within the system to escalate privileges or access additional system resources.

GeoServer relies on GeoTools to manage and operate various geospatial data formats. The GeoTools library API processes feature type properties or names and passes them in an unsafe manner to the commons-jxpath library for XPath expression evaluation, allowing attackers to execute arbitrary code by inputting malicious XPath expressions. Additionally, because JXPath is inappropriately applied to simple feature types that do not require complex parsing, the scope of the vulnerability is further expanded.

Affected Version

2.25.0 <= GeoServer < 2.25.2

2.24.0 <= GeoServer < 2.24.4

GeoServer < 2.23.6

Remediation

Official fix: To address this critical vulnerability, users are recommended to upgrade to version 2.23.6, 2.24.4, and 2.25.2. which fixes this issue. Please visit: https://geoserver.org

Workaround: Removing the `gt-complex-x.y.jar` file from the GeoServer where `x.y` is the GeoTools version. This will remove the vulnerable code from GeoServer but may break some GeoServer functionality or prevent GeoServer from deploying if the gt-complex module is needed.

Implementing the Fix

Upgrade your WAF signature database to version 1.2.15 to ensure that Hillstone Web Application Firewall is equipped to detect and provide protection against this vulnerability.

Figure 1. Hillstone WAF detects and protects users from this vulnerability