A new critical Remote Code Execution (RCE) vulnerability impacting GeoServer has been reported. It has been assigned the reference CVE-2024-36401 and a CVSS 3.1 score of 9.8. The Stormshield Customer Security Lab details our protection offerings.
It should be noted that an important number of proofs of concepts of this CVE-2024-36401 are freely available, enabling a huge potential of exploitation by threat actors.
Initial vector attack of the Jenkins vulnerability
The vulnerability allows an unauthenticated user to trigger an arbitrary remote code execution on the GeoServer server. This could be used to remotely initiate a reverse shell and take control of the server.
Technical details of the Jenkins vulnerability
The underlying API of GeoServer does not include security checks on specific values of some parameters. This can lead to a java code interpretation sent through HTTP requests. This code will be executed using the execution context of the GeoServer server.
Attack modelling with MITRE ATT&CK
MITRE ATT&CK
- T1190 (Exploit Public-Facing Application)
How to protect against the Jenkins vulnerability with Stormshield Network Security
Protection against CVE-2024-36401
Stormshield Network Security (SNS) firewalls detect and block exploitation of CVE-2024-36401 with the protocol inspection:
- http:client.102: Exploitation of a RCE in GeoServer (CVE-2024-36401)
Confidence index for the protection offered by Stormshield |
Confidence index for the absence of false positives |
Recommandations regarding the Jenkins vulnerability
It is highly recommended to update the GeoServer application to one of the following versions:
- 24.4
- 25.2
- 23.6
Deactivating the WFS service also protects against this vulnerability exploitation.
