The US government has warned its agencies of critical software vulnerabilities being exploited in a top geospatial data platform.
Found by security researcher Steve Ikeoka, the flaws affect the OSGeo GeoServer GeoTools, an open source software server used to share and edit geospatial data.
The US Cybersecurity and Infrastructure Security Agency (CISA) added a new vulnerability, tracked as CVE-2024-36401, and carrying a severity score of 9.8, to its Known Exploited Vulnerabilities (KEV) catalog, which means it is being abused by threat actors, and urged them to apply the patch by August 5, 2024.
Remote Code Execution
By custom-tailoring specific inputs, threat actors can abuse the flaws in the software to trigger remote code execution (RCE), it was said.
“Multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions,” OSGeo said in a security advisory published with the patch.
The patched versions are 2.23.6, 2.24.4, and 2.25.2, and CISA has given federal agencies until August 5 to update the software or stop using it.
The warning does not state who the threat actors are, nor who the victims are. GeoServer said the flaw is “confirmed to be exploitable through WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute requests.”
The nature of open-source projects make it impossible to determine how many people might be affected, but we do know that OSGeo, GeoServer, and GeoTools have a large and active user base. The tools are widely used in various industries, including government, academia, and private sector, for geospatial data management, analysis, and visualization. The vibrant communities, frequent contributions, and widespread adoption by prominent organizations all point to their significant and growing usage.
Via TheHackerNews