July 16, 2024 at 12:45AM
The U.S. CISA identified a critical security flaw in OSGeo GeoServer GeoTools as actively exploited. The vulnerability, CVE-2024-36401, allows remote code execution. Versions 2.23.6, 2.24.4, and 2.25.2 address the issue. Another flaw, CVE-2024-36404, also poses RCE risk. Federal agencies must apply fixes by August 5, 2024, amid reports of active Ghostscript vulnerability exploitation.
From the meeting notes, the key takeaways are:
– The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has identified a critical security flaw impacting OSGeo GeoServer GeoTools, tracked as CVE-2024-36401 (CVSS score: 9.8), which allows for remote code execution through specially crafted input. The flaw has been addressed in versions 2.23.6, 2.24.4, and 2.25.2.
– Another critical flaw (CVE-2024-36404, CVSS score: 9.8) has also been patched in versions 29.6, 30.4, and 31.2, which could result in remote code execution if certain GeoTools functionality is used to evaluate XPath expressions supplied by user input.
– Federal agencies are required to apply the vendor-provided fixes by August 5, 2024, in response to the active abuse of CVE-2024-36401.
– There are reports of active exploitation of a remote code execution vulnerability in the Ghostscript document conversion toolkit (CVE-2024-29510), which has been addressed in version 10.03.1.
In addition, federal agencies are urged to take action to mitigate these vulnerabilities, and it’s essential to stay informed about emerging security threats.