The US government has warned its agencies about critical software vulnerabilities being exploited in a key geospatial data platform.
The flaws were discovered by security researcher Steve Ikeoka and affect OSGeo GeoServer GeoTools, an open-source software server used to share and edit geographic data.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a new vulnerability to its catalogue of known exploits (CEV), with the status CVE-2024-36401 and a severity score of 9.8. This means that it is being exploited by malicious actors. CISA has urged them to apply the patch before August 5, 2024.
External code execution
By tailoring specific input, attackers can exploit the flaws in the software to trigger remote code execution (RCE), it said.
“Multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users via specially crafted input on a default GeoServer installation, due to insecure evaluation of property names as XPath expressions,” OSGeo said in a security advisory published with the patch.
The patched versions are 2.23.6, 2.24.4 and 2.25.2, and CISA has given federal agencies until August 5 to update the software or stop using it.
The alert does not specify who the threat actors are, nor who the victims are. GeoServer said the vulnerability “has been confirmed to be exploitable via WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic, and WPS Execute requests.”
The nature of open source projects makes it impossible to determine how many people may be affected, but we do know that OSGeo, GeoServer, and GeoTools have large and active user bases. The tools are widely used across a variety of sectors, including government, academia, and the private sector, for geospatial data management, analysis, and visualization. The vibrant communities, frequent contributions, and widespread adoption by leading organizations all point to their significant and growing use.
Through TheHackerNews