CVE-2021-40822 – This CVE describes a Server-Side Request Forger... (How to Fix)

Q: What is the severity of CVE-2021-40822?

CVE-2021-40822 has a CVSS score of 7.5 (HIGH). This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in GeoServer that allows attackers to make arbitrary HTTP requests from the vulnerable server. Attackers can exploit the proxy host configuration option to access internal network resources or interact with local services. All GeoServer instances up to version 2.18.5 and 2.19.x up to 2.19.2 are affected.

📋 TL;DR

This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in GeoServer that allows attackers to make arbitrary HTTP requests from the vulnerable server. Attackers can exploit the proxy host configuration option to access internal network resources or interact with local services. All GeoServer instances up to version 2.18.5 and 2.19.x up to 2.19.2 are affected.

💻 Affected Systems

Products:

GeoServer

Versions: Through 2.18.5 and 2.19.x through 2.19.2

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All configurations using the proxy host option are vulnerable. The vulnerability exists in the proxy configuration functionality.

📦 What is this software?

Geoserver by Osgeo

View all CVEs affecting Geoserver →

Geoserver by Osgeo

View all CVEs affecting Geoserver →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of internal network resources, data exfiltration from internal services, or use as a pivot point for further attacks on internal systems.

🟠

Likely Case

Unauthorized access to internal HTTP services, information disclosure from internal endpoints, or interaction with cloud metadata services.

🟢

If Mitigated

Limited to external network access only, with no sensitive internal services exposed to the vulnerable server.

🌐 Internet-Facing: HIGH - Internet-facing GeoServer instances can be directly exploited by external attackers without authentication.

🏢 Internal Only: MEDIUM - Internal instances require attacker access to internal network, but can still be exploited for lateral movement.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SSRF vulnerabilities are commonly exploited and require minimal technical skill. The proxy host parameter can be manipulated to make arbitrary requests.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.19.3 and 2.18.6

Vendor Advisory: https://github.com/geoserver/geoserver/releases

Restart Required: Yes

Instructions:

1. Backup your GeoServer configuration and data. 2. Download GeoServer 2.19.3 or 2.18.6 from the official releases. 3. Stop the GeoServer service. 4. Replace the existing installation with the patched version. 5. Restore your configuration and data. 6. Start the GeoServer service.

🔧 Temporary Workarounds

Disable Proxy Host Configuration

all

Remove or restrict access to proxy host configuration options in GeoServer settings

Network Segmentation

all

Place GeoServer in a restricted network segment with limited outbound access

🧯 If You Can't Patch

Implement strict network egress filtering to limit GeoServer's outbound HTTP requests
Deploy a web application firewall (WAF) with SSRF protection rules

🔍 How to Verify

Check if Vulnerable:

Check GeoServer version via web interface or by examining the installation directory. Versions 2.18.5 or lower, or 2.19.0 through 2.19.2 are vulnerable.

Check Version:

Check the GeoServer web interface at /geoserver/web/ or examine the version.txt file in the installation directory.

Verify Fix Applied:

Verify version is 2.19.3 or higher, or 2.18.6 or higher. Test proxy functionality with controlled endpoints to ensure SSRF is prevented.

📡 Detection & Monitoring

Log Indicators:

Unusual outbound HTTP requests from GeoServer
Requests to internal IP addresses or localhost
Multiple failed proxy connection attempts

Network Indicators:

GeoServer making unexpected HTTP requests to internal services
Traffic to cloud metadata endpoints (169.254.169.254)

SIEM Query:

source="geoserver" AND (dest_ip=10.0.0.0/8 OR dest_ip=172.16.0.0/12 OR dest_ip=192.168.0.0/16 OR dest_ip=127.0.0.1 OR dest_ip=169.254.169.254)

📊 Metadata

CVE ID: CVE-2021-40822

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-918

Published: May 2, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/geoserver/geoserver/compare/2.19.2...2.19.3 Patch,Release Notes,Third Party Advisory
https://github.com/geoserver/geoserver/releases Release Notes,Third Party Advisory
https://osgeo-org.atlassian.net/browse/GEOS-10229 Issue Tracking,Vendor Advisory
https://osgeo-org.atlassian.net/browse/GEOS-10229?focusedCommentId=83508 Issue Tracking,Vendor Advisory
https://github.com/geoserver/geoserver/compare/2.19.2...2.19.3 Patch,Release Notes,Third Party Advisory
https://github.com/geoserver/geoserver/releases Release Notes,Third Party Advisory
https://osgeo-org.atlassian.net/browse/GEOS-10229 Issue Tracking,Vendor Advisory
https://osgeo-org.atlassian.net/browse/GEOS-10229?focusedCommentId=83508 Issue Tracking,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-40822, you might also want to check these: