{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2024-068.pdf"
    },
    "title": "Critical Vulnerabilities in GeoServer and GeoTools",
    "serial_number": "2024-068",
    "publish_date": "11-07-2024 13:14:25",
    "description": "On July 2, 2024, several critical vulnerabilities were addressed in GeoServer and GeoTools. These vulnerabilities can result in arbitrary code execution through the unsafe evaluation of user-supplied \"XPath\" expressions.<br>\nIt is recommended updating as soon as possible. <br>\n",
    "url_title": "2024-068",
    "content_markdown": "---\ntitle: 'Critical Vulnerabilities in\u00a0GeoServer\u00a0and\u00a0GeoTools'\nnumber: '2024-068'\nversion: '1.0'\noriginal_date: 'July 2, 2024'\ndate: 'July 11, 2024'\n---\n\n_History:_\n\n* _11/07/2024 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn July 2, 2024, several critical vulnerabilities were addressed in GeoServer and GeoTools. These vulnerabilities can result in arbitrary code execution through the unsafe evaluation of user-supplied `XPath` expressions [1,2,3].\n\nIt is recommended updating as soon as possible. \n\n# Technical Details\n\nThe vulnerability **CVE-2024-36401**, with a CVSS score of 9.8, allows Remote Code Execution (RCE) flaw by unauthenticated users via specially crafted input to a default GeoServer installation. This issue arises from the unsafe evaluation of property names as `XPath` expressions due to a flaw in the GeoTools library API, which GeoServer relies upon [1].\n\nThe vulnerability **CVE-2024-36404**, with a CVSS score of 9.8, is a Remote Code Execution (RCE) flaw against the GeoTools library. This vulnerability occurs when certain methods use the `commons-jxpath` library to evaluate `XPath` expressions supplied within user inputs. The `commons-jxpath` library has the capability to execute arbitrary code embedded within these `XPath` expressions [2].\n\n# Affected Products\n\n**CVE-2024-36401** affects the following packages \n\n- org.geoserver.web:gs-web-app\n- org.geoserver:gs-wfs \n- org.geoserver:gs-wms\n\nand their versions:\n\n- From version 2.24.0 up to, but not including, version 2.24.4\n- From version 2.25.0 up to, but not including, version 2.25.2\n- All versions prior to 2.23.6\n\n**CVE-2024-36404** affects the following packages \n\n- org.geotools.xsd:gt-xsd-core \n- org.geotools:gt-app-schema\n- org.geotools:gt-complex \n\nand their versions:\n\n- From version 30.0 up to, but not including, version 30.4\n- From version 31.0 up to, but not including, version 31.2\n- All versions prior to 29.6\n\n# Recommendations\n\nCERT-EU strongly recommends updating to the latest versions by following the instructions given by the vendor [1,2].\n\n## Workaround and Mitigation\n\nGeoServer has issued a workaround and mitigation measures depending on the release version. \n\nThe workaround is to remove the `gt-complex-x.y.jar` file from the GeoServer where `x.y` is the GeoTools version. This will remove the vulnerable code from GeoServer but may impact other functionalities. A list of mitigation measures is available [1,2].\n\n# References \n\n[1] <https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv>\n\n[2] <https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w>\n\n[3] <https://nsfocusglobal.com/remote-code-execution-vulnerability-between-geoserver-and-geotools-cve-2024-36401-cve-2024-36404-notification/>",
    "content_html": "<p><em>History:</em></p><ul><li><em>11/07/2024 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On July 2, 2024, several critical vulnerabilities were addressed in GeoServer and GeoTools. These vulnerabilities can result in arbitrary code execution through the unsafe evaluation of user-supplied <code>XPath</code> expressions [1,2,3].</p><p>It is recommended updating as soon as possible. </p><h2 id=\"technical-details\">Technical Details</h2><p>The vulnerability <strong>CVE-2024-36401</strong>, with a CVSS score of 9.8, allows Remote Code Execution (RCE) flaw by unauthenticated users via specially crafted input to a default GeoServer installation. This issue arises from the unsafe evaluation of property names as <code>XPath</code> expressions due to a flaw in the GeoTools library API, which GeoServer relies upon [1].</p><p>The vulnerability <strong>CVE-2024-36404</strong>, with a CVSS score of 9.8, is a Remote Code Execution (RCE) flaw against the GeoTools library. This vulnerability occurs when certain methods use the <code>commons-jxpath</code> library to evaluate <code>XPath</code> expressions supplied within user inputs. The <code>commons-jxpath</code> library has the capability to execute arbitrary code embedded within these <code>XPath</code> expressions [2].</p><h2 id=\"affected-products\">Affected Products</h2><p><strong>CVE-2024-36401</strong> affects the following packages </p><ul><li>org.geoserver.web:gs-web-app</li><li>org.geoserver:gs-wfs </li><li>org.geoserver:gs-wms</li></ul><p>and their versions:</p><ul><li>From version 2.24.0 up to, but not including, version 2.24.4</li><li>From version 2.25.0 up to, but not including, version 2.25.2</li><li>All versions prior to 2.23.6</li></ul><p><strong>CVE-2024-36404</strong> affects the following packages </p><ul><li>org.geotools.xsd:gt-xsd-core </li><li>org.geotools:gt-app-schema</li><li>org.geotools:gt-complex </li></ul><p>and their versions:</p><ul><li>From version 30.0 up to, but not including, version 30.4</li><li>From version 31.0 up to, but not including, version 31.2</li><li>All versions prior to 29.6</li></ul><h2 id=\"recommendations\">Recommendations</h2><p>CERT-EU strongly recommends updating to the latest versions by following the instructions given by the vendor [1,2].</p><h3 id=\"workaround-and-mitigation\">Workaround and Mitigation</h3><p>GeoServer has issued a workaround and mitigation measures depending on the release version. </p><p>The workaround is to remove the <code>gt-complex-x.y.jar</code> file from the GeoServer where <code>x.y</code> is the GeoTools version. This will remove the vulnerable code from GeoServer but may impact other functionalities. A list of mitigation measures is available [1,2].</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv\">https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w\">https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w</a></p><p>[3] <a rel=\"noopener\" target=\"_blank\" href=\"https://nsfocusglobal.com/remote-code-execution-vulnerability-between-geoserver-and-geotools-cve-2024-36401-cve-2024-36404-notification/\">https://nsfocusglobal.com/remote-code-execution-vulnerability-between-geoserver-and-geotools-cve-2024-36401-cve-2024-36404-notification/</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}