[CDP-development] TLP:GREEN (Vulnerability Alert Notification) CVE-2022-24816 GeoSolutionsGroup JAI-EXT Code Injection Vulnerability

Wed Jun 26 12:39:37 PDT 2024

Good morning,

The SOC Services team is reporting on the following vulnerability: CVE-2022-24816 GeoSolutionsGroup JAI-EXT Code Injection Vulnerability.  Due to its high visibility and its listing on CISA's Known Exploited Vulnerability database, we are providing this in-depth information:

History: On April 13, 2022,  the open-source JAI extension API was found to be vulnerable to a command injection vulnerability. CVE-2022-24816 was established as a CVE on April 13th, 2022, and is currently assigned CVSSv3 rating of 9.8 (Critical).

The following products are affected:

  *   GeoServer project versions before 1.1.22.

Patches are available from GitHub to fix the vulnerability.  The fixed version is:

  *   GeoServer project version 1.2.22 or newer.

Further information is available from GitHub Security Advisory:

  *   GitHub Security Advisory (GHSA-v92f-jx6p-73rx) - https://github.com/geosolutions-it/jai-ext/security/advisories/GHSA-v92f-jx6p-73rx

Intelligence: As of June 26th, 2024, CVE-2022-24816 has been added to CISA's Known Exploited Vulnerabilities database.  The vulnerability affects the downstream GeoServer projects that use jt-jiffle script. The programs that allow Jiffle script to be sent via network request may allow an attacker to perform remote code execution. The flaw is exploited because the Jiffle script is compiled into Java code via Janino and then executed.

Workarounds:  Perform the following mitigation when upgrading to the latest version is not done:

  1.  Stop GeoServer.
  2.  Open the war file, get into WEB-INF/lib, and remove the janino-<version>.jar
  3.  Restart GeoServer.

How it works:  GeoServer embeds the Jiffle in the base WAR package. Jiffle can be used in SLD rendering transforms and is available as an OGC function. This permits remote code execution when editing SLD files from the administration console or by appropriately crafted OGC requests. This can allow a remote attacker to send a crafted XML payload to /geoserver/wms endpoint resulting in code execution. The following payload can be used to execute the id command on a vulnerable system.

Post-Exploit: Upon successful exploitation of the vulnerabilities, an adversary can execute code remotely on a vulnerable system.

No known indicators of compromise have been publicly shared at this time.

As of June 26, 2024, there are no available plugins in Tenable Security Center.
Recommended Actions:

  *   Verify host has not been compromised before applying patches.
  *   Apply appropriate updates provided by vendor to vulnerable systems immediately after appropriate testing.
  *   Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  *   Apply the Principle of Least Privilege to all systems and services.

[cid:image001.png at 01DAC7C0.5FC623C0]
Cyber Security Services
State of Oregon Cyber Security Services
Enterprise Information Services | SOC
Cyber Security Services (CSS)
SOC Hotline: (503) 378-5930 | SOC Services (503) 373-0378
"Ensuring user-friendly, reliable, and secure state technology systems that equitably serve Oregonians."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20240626/14971840/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 21907 bytes
Desc: image001.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20240626/14971840/attachment-0001.png>