Patch now! Malicious code attacks on GeoTools servers
Attackers are currently targeting GeoTools servers worldwide. In Germany, potentially hundreds of systems are under threat.
Attackers are currently exploiting a critical vulnerability in GeoServer GeoTools. Security updates are available.
The vulnerability
The Java library GeoTools can be used to visualize geoinformation. The provider of the software has now closed a vulnerability (CVE-2024-36401"critical"). According to a warning message, the error is in the XPath evaluation.
At this point, attackers can gain access without authentication and execute malicious code. It is currently unclear how this works in detail.
Threat in this country too
The US Cybersecurity and Infrastructure Security Agency (CISA) is among those warning of the attacks. Federal authorities must secure their systems by August 8. CISA does not specify the extent of the attacks. Security researchers observed the first attacks on July 9, 2024.
A query via ZoomEye's cybersecurity search engine shows that around 16,000 GeoTools servers worldwide are publicly accessible via the internet. In Germany, there are 943 instances at the time of this report. However, the results of the query do not reveal which version is installed. Consequently, the servers are only potentially vulnerable.
Patch now!
Admins should install one of the secure versions 2.23.6, 2.24.4 or 2.25.2 to protect their systems from the attacks. They should also ensure that their servers are only accessible via the Internet if absolutely necessary. This provides attackers with an often avoidable attack surface. If public accessibility is essential, access should be secured, for example via a VPN connection.
(des)