CVE-2024-34696
📋 TL;DR
GeoServer versions 2.10.0 through 2.24.3 and 2.25.0 expose environment variables and Java properties containing sensitive credentials to authenticated administrators via the Server Status page and REST API. This affects GeoServer instances where administrators have access to these interfaces, potentially revealing database passwords, API keys, and other secrets. The vulnerability is particularly impactful in containerized deployments where startup scripts export credentials as environment variables.
💻 Affected Systems
- GeoServer
📦 What is this software?
Geoserver by Geoserver
Geoserver by Geoserver
⚠️ Risk & Real-World Impact
Worst Case
Administrator credentials are compromised, allowing an attacker to access all environment variables and Java properties containing database passwords, API keys, and other sensitive secrets, leading to complete system compromise and data exfiltration.
Likely Case
Legitimate administrators unintentionally expose sensitive credentials through normal administrative activities, potentially leading to credential leakage if screenshots or logs are shared.
If Mitigated
With proper access controls and updated versions, administrators cannot view sensitive environment variables through the Server Status interface, maintaining credential confidentiality.
🎯 Exploit Status
Exploitation requires authenticated administrative access to GeoServer. No public exploit code has been identified, but the vulnerability is straightforward to exploit once credentials are obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.24.4 or 2.25.1
Vendor Advisory: https://github.com/geoserver/geoserver/security/advisories/GHSA-j59v-vgcr-hxvf
Restart Required: Yes
Instructions:
1. Download GeoServer 2.24.4 or 2.25.1 from the official website. 2. Stop the current GeoServer instance. 3. Backup configuration and data directories. 4. Install the new version. 5. Restore configuration and data. 6. Start the updated GeoServer instance.
🔧 Temporary Workarounds
Hide Environment Variables and Java Properties
allConfigure GeoServer to hide environment variables and Java system properties by default in the Server Status page and REST API.
Modify GeoServer configuration to set environment variable exposure to false. Consult GeoServer documentation for specific configuration parameters.
🧯 If You Can't Patch
- Restrict administrative access to only trusted personnel and implement strict access logging for Server Status page usage.
- Review and minimize environment variables and Java properties containing sensitive information in GeoServer deployment.
🔍 How to Verify
Check if Vulnerable:
Access the GeoServer Server Status page as an administrator and check if environment variables and Java properties are displayed. Alternatively, query the REST API endpoint '/geoserver/rest/about/status' with administrator credentials.Check Version:
Check the GeoServer version in the web interface under 'About & Status' or examine the server startup logs.Verify Fix Applied:
After updating, verify that environment variables and Java properties are no longer displayed in the Server Status page or REST API responses.📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns to Server Status page or '/rest/about/status' API endpoint
- Administrative account access from unexpected locations or times
Network Indicators:
- HTTP requests to '/geoserver/rest/about/status' endpoint with administrator authentication
SIEM Query:
source="geoserver" AND (uri_path="/geoserver/web/wicket/bookmarkable/org.geoserver.web.admin.StatusPage" OR uri_path="/geoserver/rest/about/status") AND user_role="administrator"