From 6e0ab8406d75540c21c81ae6bde235ed72ca0750 Mon Sep 17 00:00:00 2001 From: CharlesRN <125233614+CharlesRN@users.noreply.github.com> Date: Tue, 24 Sep 2024 14:24:12 +0800 Subject: [PATCH] GeoServer Critical Vulnerability (#999) * Cisco Affected by OpenSSH Vulnerability * Format markdown docs * Update 20240709001-Cisco-Affected-by-OpenSSH-Vulnerability.md Update with link to previous mentioned CVE advisory * Oracle Critical Patch Update * Format markdown docs * Update 20240719001 * Format markdown docs * Okta Releases Browser Plugin Advisory * Format markdown docs * Update 20240723002 * Advisory_20240801002 * Format markdown docs * Update 20240801002 Applied "advisory-CISA-ICS-Advisories" template * Format markdown docs * Update 20240801002_02 Hyperlink fix * Format markdown docs * Advisory-20240823001 * Format markdown docs * CISA Joint Advisory * Format markdown docs * Zabbix Server Advisory * Format markdown docs * Veeam Releases Critical Updates * Format markdown docs * Veeam Releases Critical Updates 002 * Veeam Releases Critical Updates - 20240909002 * Format markdown docs * PR provided and changed to read 001 * Deleted * Deleted * GeoServer Critical Vulnerability * Format markdown docs * Update 20240924002 Reformatted affected version list to correct format. Added applicable GeoTools information and CVE. Added GeoServer advisory hyperlink. * Format markdown docs * Update 20240924002 Removed all auto-generated '\' from table text * Format markdown docs * Update 20240924002 Removed all auto-generated '\' from table text --------- Co-authored-by: CharlesRN Co-authored-by: Joshua Hitchen (DGov) <86041569+DGovEnterprise@users.noreply.github.com> Co-authored-by: JadonWill <117053393+JadonWill@users.noreply.github.com> Co-authored-by: JadonWill --- ...924002-GeoServer-Critical-Vulnerability.md | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 docs/advisories/20240924002-GeoServer-Critical-Vulnerability.md diff --git a/docs/advisories/20240924002-GeoServer-Critical-Vulnerability.md b/docs/advisories/20240924002-GeoServer-Critical-Vulnerability.md new file mode 100644 index 00000000..9c2df2eb --- /dev/null +++ b/docs/advisories/20240924002-GeoServer-Critical-Vulnerability.md @@ -0,0 +1,26 @@ +# GeoServer Critical Vulnerability - 20240924002 + +## Overview + +The WA SOC has been made aware of vulnerability in GeoServer that allows Remote Code Execution (RCE) by unauthenticated users through specially crafted input in a default installation. This vulnerability stems from the unsafe evaluation of property names as XPath expressions, caused by a flaw in the GeoTools library API, which GeoServer depends on. + +## What is vulnerable? + +| Product(s) Affected | Version(s) | CVE # | CVSS v4/v3 | Severity | +| ------------------- | --------------------------------------------------------------- | ----------------------------------------------------------------- | ---------- | -------- | +| GeoServer | all versions < 2.23.6
2.24.0 < 2.24.4
2.25.0 < 2.25.2 | [CVE-2024-36401](https://nvd.nist.gov/vuln/detail/CVE-2024-36401) | 9.8 | Critical | +| GeoTools | all versions < 29.6
30.0 < 30.4
31.0 < 31.2 | [CVE-2024-36404](https://nvd.nist.gov/vuln/detail/CVE-2024-36404) | 9.8 | Critical | + +## What has been observed? + +There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing. + +## Recommendation + +The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *48 hours...* (refer [Patch Management](../guidelines/patch-management.md)): + +- GeoServer advisory: + +## Additional References + +- The Hacker News: