A Code Injection Vulnerability in GeoServer

February 26, 2025

4

Introduction

CVE-2022-24816 is a critical vulnerability in the Jiffle extension of GeoServer, which allows remote code execution due to improper handling of Jiffle scripts. GeoServer is an open-source server written in Java designed for sharing, processing, and editing geospatial data. It is interoperable with other geospatial software and services, supporting a wide range of OGC (Open Geospatial Consortium) standards and protocols, such as Web Feature Service (WFS), Web Map Service (WMS), Web Coverage Service (WCS), and Web Map Tile Service (WMTS).

The vulnerability is rated a high CVSS v3 score of 9.8 due to its severe impact and exploitation potential. The severity of this vulnerability is heightened by the fact that it can be exploited by unauthenticated attackers, increasing the attack surface. It is added to the CISA Known Exploited Vulnerabilities (KEV) list as it has been actively exploited in the wild. In this article, we will delve into the technical details of this vulnerability and demonstrate how it can be exploited.

Understanding the Vulnerability

GeoServer includes support for the JAI-EXT API, which is enabled by default. This API provides advanced image processing capabilities and comes with a scripting language called Jiffle. Jiffle is a map algebra language which is designed to simplify operations on raster images by allowing scripts to be written in a more concise manner. When a Jiffle script is run, it is first converted into Java source code and then compiled into bytecode by the Janino compiler before being executed on the server. However, this process has a critical vulnerability. According to the NIST National Vulnerability Database (NVD), if a malicious actor provides a Jiffle script via a network request, can lead to Remote Code Execution (RCE), as these scripts are dynamically compiled and executed by the server. The vulnerability exists in jt-jiffle (Maven) versions prior to 1.1.22.

The flaw lies in how Jiffle handles comments within the scripts. When Jiffle scripts are compiled into Java code, the comments are not properly escaped. For example, an attacker can craft a payload that closes an existing comment and then injects arbitrary Java code:

In this snippet, the */ effectively closes a comment block, allowing the injected Java code to be compiled and executed. This bypasses the normal restrictions that would prevent such code injection. However, simply injecting code is not enough, the attacker also needs to control the execution flow.

Another crucial flaw lies in the handling of the Java Double class, which is used during the initialization of variables in the Jiffle-generated code. By overriding the Double class, an attacker can control the execution of code during the class’s initialization. As Java class initialization process ensures that a class or interface type is initialized before any of its static fields or methods are accessed. This behaviour can be exploited to inject a static block that executes arbitrary code when the class is initialized. By declaring a static field (NaN) in the Double class, the attacker ensures that the class will be loaded and initialized when this field is accessed. The static block of code gets executed as part of the class initialization process, which can be leveraged for executing malicious code. Here’s an example of a malicious Double class that an attacker could inject:

A screen shot of a computer code Description automatically generated

Figure 1: Sample payload containing the malicious Double class

Here, the attacker executed the id command and captured the output by throwing it as a RuntimeException, as shown in the response below:

Figure 2: HTTP Response showing execution of the injected code

Setting Up the Vulnerable Environment

To exploit the vulnerability in GeoServer, we can set up a GeoServer instance using Docker with the following command:

This command starts the GeoServer container in detached mode. We can access the service at http://localhost:8080/geoserver.

Triggering the Vulnerability

To exploit this vulnerability, an attacker can craft a payload that injects both the code to escape comments and the malicious Double class into a WPS request. The request is then sent to the /geoserver endpoint, followed by any of the service paths such as /wfs, /wms, /wps, or /wcs, depending on which OGC service the attacker targets. To demonstrate the vulnerability, we use curl to send a POST request to the GeoServer service endpoint.

Here’s an example of a payload sent via a curl request:

Figure 3: Sending the exploit payload using curl

In the provided XML payload, the critical part is in the wps:LiteralData field, where we inject both the code to escape comments and a custom Double class.

The injected Java class Double contains a static block that executes a system command when the class is initialized. This initialization occurs when the static field NaN of the Double class is accessed. The static block uses Runtime.getRuntime().exec() to execute the touch /tmp/test command on the server, creating a test file.

The following screenshot shows the file being created as proof of the successful exploitation:

Figure 4: Exploit verification—test file successfully created

CONCLUSION

To protect against these vulnerabilities, it is crucial to update to the latest GeoServer releases. Leveraging threat detection solutions can further strengthen your defences against emerging threats and ensure the continued integrity of your systems. You can also use the Keysight test platforms with ATI subscription to safeguard your network against such attacks.

LEVERAGE SUBSCRIPTION SERVICE TO STAY AHEAD OF ATTACKS

Keysight’s Application and Threat Intelligence (ATI) Subscription provides daily malware and bi-weekly updates of the latest application protocols and vulnerabilities for use with Keysight test platforms. The ATI Research Center continuously monitors threats as they appear in the wild and has just released a strike for this CVE as part of BreakingPoint System’s recent update 2024-14 help keep your network secure. More information is present here.

The following images show the screenshots of the CVEs as a strike in BreakingPoint System:

A screenshot of a computer Description automatically generated