The widely used open-source geospatial tools GeoServer and GeoTools have recently addressed critical security vulnerabilities related to XPath expression injection. Identified as CVE-2024-36401 and CVE-2024-36404, these flaws could potentially lead to remote code execution, posing serious risks to affected systems. The vulnerabilities stem from the way GeoServer handles XPath expressions when interacting with the GeoTools library API, which involves insecure handling of element type attribute names, allowing malicious actors to inject crafted XPath expressions to execute arbitrary code.
Unauthenticated attackers can exploit these vulnerabilities by sending specially crafted inputs through various OGC request parameters. This can lead to unauthorized remote code execution within the context of the GeoServer application, compromising the confidentiality, integrity, and availability of geospatial data. Affected versions of GeoServer include those before 2.23.6, versions between 2.24.0 and 2.24.3, and versions between 2.25.0 and 2.25.1. GeoTools users should be aware that versions before 29.6, between 30.0 and 30.3, and between 31.0 and 31.1 are also vulnerable.
To mitigate these security risks, users should promptly upgrade their GeoServer installations to versions 2.23.6 or later, 2.24.4 or later, and 2.25.2 or later. Similarly, GeoTools users should upgrade to version 29.6 or later, 30.4 or later, or 31.2 or later. Official patches have been released to address these vulnerabilities, and it is crucial to download and apply them to protect against potential exploitation.
For those unable to upgrade immediately, temporary protection can be achieved by replacing vulnerable jar files in the WEB-INF/lib directory of GeoServer with specific versions or by deleting the gt-complex-x.y.jar file. While these actions may offer temporary relief, users should prioritize applying official updates to ensure the security and functionality of their geospatial data processing systems.
