CVE-2024-36401
📋 TL;DR
This vulnerability allows unauthenticated remote attackers to execute arbitrary code on GeoServer instances by sending specially crafted OGC requests. It affects ALL default GeoServer installations due to unsafe XPath evaluation in the GeoTools library. Organizations using vulnerable GeoServer versions for geospatial data sharing are at immediate risk.
💻 Affected Systems
- GeoServer
📦 What is this software?
Geoserver by Geoserver
Geoserver by Geoserver
Geoserver by Geoserver
Geoserver by Geoserver
Geotools by Geotools
Geotools by Geotools
Geotools by Geotools
Geotools by Geotools
Geotools by Geotools
Geotools by Geotools
Geotools by Geotools
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary commands, steal data, deploy ransomware, or pivot to internal networks.
Likely Case
Remote code execution leading to data exfiltration, service disruption, or installation of backdoors for persistent access.
If Mitigated
Attack attempts are blocked at network perimeter, with no successful exploitation due to patched systems and proper access controls.
🎯 Exploit Status
Exploitation confirmed through multiple OGC request types (WFS GetFeature, WMS GetMap, etc.) but no public PoC available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.22.6, 2.23.6, 2.24.4, or 2.25.2
Vendor Advisory: https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv
Restart Required: Yes
Instructions:
1. Identify current GeoServer version. 2. Download appropriate patched version (2.22.6, 2.23.6, 2.24.4, or 2.25.2). 3. Backup configuration and data. 4. Stop GeoServer service. 5. Install patched version. 6. Restart GeoServer service. 7. Verify functionality.
🔧 Temporary Workarounds
Remove vulnerable gt-complex library
allRemoves the vulnerable GeoTools complex module to eliminate attack surface
find /path/to/geoserver -name "gt-complex-*.jar" -delete
🧯 If You Can't Patch
- Implement strict network access controls to limit GeoServer exposure
- Deploy WAF rules to block suspicious OGC request patterns
🔍 How to Verify
Check if Vulnerable:
Check GeoServer version via web interface admin panel or examine WEB-INF/lib directory for gt-complex JAR filesCheck Version:
Check web interface at http://geoserver-host:port/geoserver/web or examine version.txt in installation directoryVerify Fix Applied:
Confirm version is 2.22.6, 2.23.6, 2.24.4, or 2.25.2 and gt-complex JAR is either removed or updated📡 Detection & Monitoring
Log Indicators:
- Unusual OGC requests with complex XPath expressions
- Multiple failed authentication attempts followed by successful requests
- Java process spawning unexpected child processes
Network Indicators:
- Spike in requests to /geoserver/wfs, /geoserver/wms, or /geoserver/wps endpoints
- Requests containing unusual property names or XPath-like syntax
SIEM Query:
source="geoserver.log" AND ("GetFeature" OR "GetMap" OR "Execute") AND ("property" OR "attribute" OR "xpath")🔗 References
- https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852
- https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv
- https://github.com/geotools/geotools/pull/4797
- https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w
- https://osgeo-org.atlassian.net/browse/GEOT-7587
- https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852
- https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv
- https://github.com/geotools/geotools/pull/4797
- https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w
- https://osgeo-org.atlassian.net/browse/GEOT-7587
- https://www.vicarius.io/vsociety/posts/geoserver-rce-cve-2024-36401
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-36401
