GeoServer Critical Vulnerability (#999)

* Cisco Affected by OpenSSH Vulnerability * Format markdown docs * Update 20240709001-Cisco-Affected-by-OpenSSH-Vulnerability.md Update with link to previous mentioned CVE advisory * Oracle Critical Patch Update * Format markdown docs * Update 20240719001 * Format markdown docs * Okta Releases Browser Plugin Advisory * Format markdown docs * Update 20240723002 * Advisory_20240801002 * Format markdown docs * Update 20240801002 Applied "advisory-CISA-ICS-Advisories" template * Format markdown docs * Update 20240801002_02 Hyperlink fix * Format markdown docs * Advisory-20240823001 * Format markdown docs * CISA Joint Advisory * Format markdown docs * Zabbix Server Advisory * Format markdown docs * Veeam Releases Critical Updates * Format markdown docs * Veeam Releases Critical Updates 002 * Veeam Releases Critical Updates - 20240909002 * Format markdown docs * PR provided and changed to read 001 * Deleted * Deleted * GeoServer Critical Vulnerability * Format markdown docs * Update 20240924002 Reformatted affected version list to correct format. Added applicable GeoTools information and CVE. Added GeoServer advisory hyperlink. * Format markdown docs * Update 20240924002 Removed all auto-generated '\' from table text * Format markdown docs * Update 20240924002 Removed all auto-generated '\' from table text --------- Co-authored-by: CharlesRN <CharlesRN@users.noreply.github.com> Co-authored-by: Joshua Hitchen (DGov) <86041569+DGovEnterprise@users.noreply.github.com> Co-authored-by: JadonWill <117053393+JadonWill@users.noreply.github.com> Co-authored-by: JadonWill <JadonWill@users.noreply.github.com>
wagov · Sep 24, 2024 · 6e0ab84 · 6e0ab84
1 parent 13d7ed1
commit 6e0ab84
Showing 1 changed file with 26 additions and 0 deletions.
diff --git a/docs/advisories/20240924002-GeoServer-Critical-Vulnerability.md b/docs/advisories/20240924002-GeoServer-Critical-Vulnerability.md
@@ -0,0 +1,26 @@
+# GeoServer Critical Vulnerability - 20240924002
+
+## Overview
+
+The WA SOC has been made aware of vulnerability in GeoServer that allows Remote Code Execution (RCE) by unauthenticated users through specially crafted input in a default installation. This vulnerability stems from the unsafe evaluation of property names as XPath expressions, caused by a flaw in the GeoTools library API, which GeoServer depends on.
+
+## What is vulnerable?
+
+| Product(s) Affected | Version(s)                                                      | CVE #                                                             | CVSS v4/v3 | Severity |
+| ------------------- | --------------------------------------------------------------- | ----------------------------------------------------------------- | ---------- | -------- |
+| GeoServer           | all versions < 2.23.6 <br> 2.24.0 < 2.24.4 <br> 2.25.0 < 2.25.2 | [CVE-2024-36401](https://nvd.nist.gov/vuln/detail/CVE-2024-36401) | 9.8        | Critical |
+| GeoTools            | all versions < 29.6 <br> 30.0 < 30.4 <br> 31.0 < 31.2           | [CVE-2024-36404](https://nvd.nist.gov/vuln/detail/CVE-2024-36404) | 9.8        | Critical |
+
+## What has been observed?
+
+There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing.
+
+## Recommendation
+
+The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *48 hours...* (refer [Patch Management](../guidelines/patch-management.md)):
+
+- GeoServer advisory: <https://geoserver.org/vulnerability/2024/09/12/cve-2024-36401.html>
+
+## Additional References
+
+- The Hacker News: <https://thehackernews.com/2024/09/chinese-hackers-exploit-geoserver-flaw.html>