July 16, 2024 at 12:09PM
CISA is urgently advising federal agencies to address a high-severity vulnerability in GeoServer (CVE-2024-36401) due to active exploitation risks. The flaw allows unauthenticated attackers to execute remote code through crafted input, affecting all GeoServer instances. Users are recommended to apply the latest patches and review CISA’s Known Exploited Vulnerabilities list for comprehensive security measures.
Based on the meeting notes, the key takeaways are:
1. CISA is urging federal agencies to patch a critical-severity vulnerability (CVE-2024-36401) in GeoServer due to evidence of active exploitation.
2. The vulnerability allows unauthenticated attackers to execute code remotely through crafted input against a default GeoServer installation.
3. The vulnerability affects all GeoServer instances and can be exploited through various types of requests.
4. The flaw was addressed with the release of GeoServer versions 2.23.6, 2.24.4, and 2.25.2, along with GeoTools updates to patch CVE-2024-36404. A workaround involves removing the ‘gt-complex-x.y.jar’ file from the server, but this may break some GeoServer functionality.
5. The vulnerability was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, with federal agencies required to identify vulnerable GeoServer instances and apply patches by August 5 under BOD 22-01.
6. Organizations of all types are advised to review CISA’s KEV list and apply available fixes or mitigations for the identified security defects.
7. There have been no reports of the flaw being exploited before CISA’s warning, but this is the second GeoServer vulnerability added to the KEV catalog in the past three weeks.
These takeaways provide a clear understanding of the urgency and actions required to address the GeoServer vulnerability.