Web Application FirewallGeoServer.OGC.Eval.Remote.Code.Execution
Description
This indicates an attack attempt to exploit a Remote Code Execution Vulnerability in GeoServer.
The vulnerability is due to lack of input validation when handling requests. A remote, unauthenticated attacker can exploit this vulnerability by sending maliciously crafted requests to the vulnerable server. Successful exploitation could result in arbitrary code execution in the security context of the application.
Outbreak Alert
A remote code execution vulnerability affecting GeoServer is under active exploitation, with recent attack attempts observed on 40,000+ FortiGuard sensors. This vulnerability (CVE-2024-36401) is suspected to be exploited by the Earth Baxia APT group, as reported by FortiGuard Recon and the root cause of the vulnerability lies in the absence of proper input validation during request handling, posing a significant risk of system compromise upon successful exploitation.
Affected Products
GeoServer prior to 2.23.6
GeoServer 2.24.x prior to 2.24.4
GeoServer 2.25.x prior to 2.25.2
Impact
System Compromise: Remote attackers can gain control of vulnerable systems.
Recommended Actions
Apply the most recent upgrade or patch from the vendor.
https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv
Version Updates
| Date | Version | Status | Detail |
|---|---|---|---|
| 2024-11-25 | 1.00058 |
New
|
| ID | 1002017439 |
| Created | Nov 25, 2024 |
| Updated | Nov 25, 2024 |
| CVE ID | |
| Tags | GeoServer RCE |
| Risk |
|
| Default Action | drop |
| Active | |
| Affected OS | Windows, Linux, MacOS |
| Affected App | Other |