Widely used open-source Java tools, GeoServer and GeoTools, that help in geospatial data processing have fixed security vulnerabilities related to XPath expression injection.
Identified as CVE-2024-36401 and CVE-2024-36404, these XPath expression injection vulnerabilities could potentially lead to remote code execution, posing serious risks to affected systems.
These expression injection vulnerabilities stem from the way GeoServer handles XPath expressions. Specifically, when GeoServer interacts with the GeoTools library API, it passes element type attribute names insecurely to the commons-jxpath library. This mishandling allows malicious actors to inject crafted XPath expressions that could execute arbitrary code on the affected server.
Exploitation and Impact of XPath Expression Injection Vulnerabilities
An unauthenticated attacker can exploit these vulnerabilities by sending specially crafted inputs via multiple OGC request parameters. This could lead to unauthorized remote code execution within the context of the GeoServer application, potentially compromising the confidentiality, integrity, and availability of geospatial data stored and processed by the affected systems.
For GeoServer, vulnerable versions include those before 2.23.6, versions between 2.24.0 to 2.24.3, and versions between 2.25.0 to 2.25.1. Similarly, for GeoTools, affected versions encompass those before 29.6, versions between 30.0 to 30.3, and versions between 31.0 to 31.1.
To address these security risks, immediate action is strongly recommended. Users should upgrade GeoServer installations to versions 2.23.6 or later, 2.24.4 or later, and 2.25.2 or later. Likewise, GeoTools users should upgrade to version 29.6 or later, 30.4 or later, or 31.2 or later. Official patches have been released to mitigate these vulnerabilities, and users should download them promptly from the respective GeoServer and GeoTools repositories.
Mitigation and Patches for XPath Expression Injection Vulnerabilities
For those unable to upgrade immediately, replace vulnerable jar files (gt-app-schema, gt-complex, gt-xsd-core) in the WEB-INF/lib directory of GeoServer with versions 2.25.1, 2.24.3, 2.24.2, 2.23.2, 2.21.5, 2.20.7, 2.20.4, 2.19.2, or 2.18.0 can provide temporary protection. These actions are essential to safeguarding geospatial data processing systems against potential exploitation and maintaining the integrity and security of critical infrastructure.
Temporary Workaround: If immediate updates are not feasible, consider deleting the gt-complex-x.y.jar file (where x.y represents the GeoTools version, e.g., gt-complex-31.1.jar for GeoServer 2.25.1). Note that this action may temporarily compromise certain functionalities of GeoServer.
The vulnerabilities in GeoServer and GeoTools underline the critical importance of promptly applying security updates and patches. Organizations and users relying on these tools for geospatial data management and processing should prioritize updating their installations to mitigate the risk of exploitation. By staying informed and proactive in addressing security advisories, users can safeguard their systems against potential threats and ensure the secure operation of geospatial services.
