The US government has warned its agencies about critical software vulnerabilities being exploited in a major geospatial data platform.
The flaws discovered by security researcher Steve Ikeoka affect OSGeo GeoServer GeoTools, an open-source software server used to share and edit geospatial data.
The US Cybersecurity and Infrastructure Security Agency (CISA) has added a new vulnerability, tracked as CVE-2024-36401 and with a severity score of 9.8, to its Known Exploited Vulnerabilities (KEV) catalog, meaning that threat actors are abusing it, and urged them to patch it by August 5, 2024.
Remote code execution
It was said that by customizing specific inputs, threat actors can exploit flaws in the software to trigger remote code execution (RCE).
“Several OGC request parameters allow remote code execution (RCE) by unauthenticated users via specially crafted input against a default GeoServer installation due to unsafe evaluation of property names as XPath expressions,” OSGeo said in a security advisory published with the patch.
The patched versions are 2.23.6, 2.24.4 and 2.25.2, and CISA has given federal agencies until Aug. 5 to update the software or stop using it.
The warning does not indicate who the threat authors are or who the victims are. GeoServer said the flaw has been confirmed to be “exploitable via WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic, and WPS Execute requests.”
The nature of open source projects makes it impossible to determine how many people might be affected, but we do know that OSGeo, GeoServer, and GeoTools have a large and active user base. The tools are widely used across a variety of industries, including government, academia, and the private sector, for geospatial data management, analysis, and visualization. Vibrant communities, frequent contributions, and widespread adoption by major organizations are indications of their significant and growing use.
Through Hackers News
