CVE-2024-36404 Overview
CVE-2024-36404 is a critical Remote Code Execution (RCE) vulnerability in GeoTools, an open source Java library that provides tools for geospatial data. The vulnerability exists in the XPath expression evaluation functionality used by certain GeoTools components. When an application uses GeoTools to evaluate XPath expressions supplied by user input, an attacker can inject malicious code that will be executed on the server with the privileges of the application.
This vulnerability is particularly dangerous because GeoTools is widely used in geographic information systems (GIS) applications, web mapping services, and geospatial data processing pipelines. Applications that accept user-supplied XPath expressions for querying complex geospatial content are directly at risk.
Critical Impact
Unauthenticated remote attackers can achieve full server compromise through XPath expression injection, enabling arbitrary code execution without any user interaction required.
Affected Products
- GeoTools versions prior to 31.2
- GeoTools versions prior to 30.4
- GeoTools versions prior to 29.6
Discovery Timeline
- July 2, 2024 - CVE-2024-36404 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2024-36404
Vulnerability Analysis
This vulnerability is classified as CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (Eval Injection). The root cause lies in how GeoTools processes XPath expressions within the gt-complex module, specifically in components like XmlXpathUtilites and FeaturePropertyAccessorFactory. When user-controlled input is passed to XPath evaluation functions without proper sanitization, attackers can inject malicious expressions that escape the intended XPath context and execute arbitrary Java code.
The vulnerability leverages the JXPath library's expression evaluation capabilities. JXPath, while powerful for navigating Java object graphs using XPath-like syntax, can be abused to invoke arbitrary methods and instantiate objects when untrusted input is processed. This is similar to the previously disclosed CVE-2022-41852 in Apache Commons JXPath, and GeoTools' implementation inherited this vulnerability pattern.
Root Cause
The vulnerability stems from insufficient input validation and sanitization of XPath expressions before they are passed to the JXPath evaluation engine. The XmlXpathUtilites class and FeaturePropertyAccessorFactory did not implement adequate safeguards to prevent malicious expressions from accessing dangerous Java classes and methods through the JXPath context.
Attack Vector
An attacker can exploit this vulnerability by submitting a crafted XPath expression to any GeoTools-powered application that evaluates user-supplied XPath queries. This commonly occurs in:
- Application schema datastores that query complex GML content
- Web Feature Services (WFS) that accept filter expressions
- Any GIS application accepting user XPath input for feature queries
The attack requires no authentication and can be executed remotely over the network. A successful exploit grants the attacker the ability to execute arbitrary system commands with the privileges of the application server.
The security patch introduces safer XPath handling through the JXPathUtils class:
package org.geotools.appschema.util;
import java.util.ArrayList;
import java.util.List;
import java.util.Scanner;
import org.apache.commons.jxpath.JXPathContext;
import org.geotools.xsd.impl.jxpath.JXPathUtils;
import org.jdom2.Document;
import org.xml.sax.helpers.NamespaceSupport;
Source: GitHub GeoTools Commit
Detection Methods for CVE-2024-36404
Indicators of Compromise
- Unusual XPath expressions in application logs containing Java class references or method invocations
- Unexpected process spawning from Java/GeoTools application processes
- Network connections initiated from GeoTools-based application servers to unexpected external hosts
- Log entries showing errors related to JXPath expression evaluation with suspicious payloads
Detection Strategies
- Monitor web application firewall (WAF) logs for XPath injection patterns in request parameters
- Implement input validation rules to detect and block expressions containing java.lang.Runtime, ProcessBuilder, or reflection-based class instantiation
- Review application logs for JXPath-related exceptions that may indicate exploitation attempts
- Deploy runtime application self-protection (RASP) solutions to detect and block code execution attempts
Monitoring Recommendations
- Enable verbose logging for GeoTools XPath evaluation components
- Implement anomaly detection for unusual patterns in WFS filter queries and application schema datastore requests
- Monitor Java process behavior for unexpected child process creation or network activity
- Set up alerts for file system modifications in application directories that could indicate post-exploitation activity
How to Mitigate CVE-2024-36404
Immediate Actions Required
- Upgrade GeoTools to version 31.2, 30.4, or 29.6 immediately
- If immediate upgrade is not possible, download and apply the drop-in replacement jars from SourceForge for your specific version
- Remove the gt-complex jar from your application if complex XPath functionality is not required
- Implement input validation to reject XPath expressions containing dangerous patterns
Patch Information
GeoTools maintainers have released fixed versions 31.2, 30.4, and 29.6 that address this vulnerability. The fix was implemented in GitHub Pull Request #4797 and committed in commit f0c9961. The patch introduces the JXPathUtils class to safely handle XPath expressions and prevent code injection.
For applications that cannot upgrade to the latest versions, drop-in replacement jars are available from SourceForge for versions 31.1, 30.3, 30.2, 29.2, 28.2, 27.5, 27.4, 26.7, 26.4, 25.2, and 24.0. These replacement jars are intended for quick remediation and are not available through Maven Central.
See the GitHub Security Advisory GHSA-w3pj-wh35-fq8w for complete details.
Workarounds
- Remove the gt-complex jar from your application's classpath to disable vulnerable XPath functionality (note: this will impact application schema datastore functionality)
- Implement a web application firewall rule to filter requests containing potentially malicious XPath patterns
- Deploy network segmentation to limit the impact of potential compromise
- Run GeoTools applications with minimal privileges to reduce the impact of successful exploitation
# Remove gt-complex jar to disable vulnerable functionality
find /path/to/application -name "gt-complex-*.jar" -exec rm -v {} \;
# Verify the jar has been removed
find /path/to/application -name "gt-complex-*.jar" -type f
# Restart the application after removal
systemctl restart your-geotools-application
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
