The Cybersecurity and Infrastructure Security Agency (CISA) has recently updated its Known Exploited Vulnerabilities (KEV) Catalog, adding a new vulnerability based on evidence of active exploitation. This catalog serves as a crucial resource for federal enterprises to identify and remediate high-risk vulnerabilities.
CVE-2024-36401: OSGeo GeoServer GeoTools Eval Injection Vulnerability
GeoServer, an open-source server that enables users to share and edit geospatial data, has a critical vulnerability identified as CVE-2024-36401. This vulnerability affects versions prior to 2.23.6, 2.24.4, and 2.25.2. It allows unauthenticated remote code execution (RCE) through multiple OGC request parameters by unsafely evaluating property names as XPath expressions. The GeoTools library, which GeoServer calls, evaluates these names in a manner that can execute arbitrary code. This vulnerability can be exploited through WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic, and WPS Execute requests.
Impact: This vulnerability is a significant risk because it can lead to arbitrary code execution on all GeoServer instances, posing a substantial threat to any federal enterprise relying on GeoServer for geospatial data management.
Mitigation:
- Upgrade: The issue is patched in GeoServer versions 2.23.6, 2.24.4, and 2.25.2. Upgrading to these versions is strongly recommended.
- Workaround: As an interim measure, removing the
gt-complex-x.y.jarfile from GeoServer can mitigate the vulnerability. This file corresponds to the GeoTools version in use (e.g.,gt-complex-31.1.jarfor GeoServer 2.25.1). However, this may disrupt some functionality.
Importance of Timely Remediation
The update to the KEV Catalog emphasizes the importance of timely remediation of known vulnerabilities. The Binding Operational Directive (BOD) 22-01 mandates Federal Civilian Executive Branch (FCEB) agencies to address identified vulnerabilities by specified deadlines to protect their networks against active threats.
BOD 22-01 Overview: BOD 22-01 was established to reduce the significant risks posed by known exploited vulnerabilities. It created the KEV Catalog as a dynamic list of CVEs that carry considerable risk. While BOD 22-01 specifically applies to FCEB agencies, CISA strongly advises all organizations to incorporate these remediations into their vulnerability management practices.
Recommendations for All Organizations
- Regular Updates: Regularly update all systems and software to the latest versions to protect against known vulnerabilities.
- Vulnerability Management: Prioritize remediation of vulnerabilities listed in the KEV Catalog as part of your organization’s vulnerability management strategy.
- Monitoring and Detection: Employ advanced monitoring and detection systems to identify potential exploitations of vulnerabilities.
- Incident Response Plan: Develop and regularly update an incident response plan to swiftly address and mitigate the impacts of any exploitations.
Conclusion
Staying ahead of cyber threats requires proactive measures and vigilance. The addition of CVE-2024-36401 to CISA’s Known Exploited Vulnerabilities Catalog highlights the continuous efforts needed to secure federal networks and beyond. Organizations must take these alerts seriously, ensuring all recommended updates and patches are applied promptly to safeguard against potential exploits.
For more information on the BOD 22-01 and the KEV Catalog, please refer to the BOD 22-01 Fact Sheet available on the CISA website.