cvelistv5 - cve-2024-34696

cve-2024-34696

Vulnerability from cvelistv5

Published

2024-07-01 14:36

Modified

2024-08-02 02:59

Severity ?

4.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N

Summary

GeoServer's Server Status shows sensitive environmental variables and Java properties

References

▼	URL	Tags
	security-advisories@github.com	https://github.com/geoserver/geoserver/security/advisories/GHSA-j59v-vgcr-hxvf	Vendor Advisory

Impacted products

▼	Vendor	Product
	geoserver	geoserver

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-34696",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-07-01T17:08:38.904497Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-07-01T17:08:44.885Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T02:59:21.661Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/geoserver/geoserver/security/advisories/GHSA-j59v-vgcr-hxvf",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-j59v-vgcr-hxvf"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "geoserver",
          "vendor": "geoserver",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 2.10.0, \u003c 2.24.4"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.25.0, \u003c 2.25.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "GeoServer is an open source server that allows users to share and edit geospatial data. Starting in version 2.10.0 and prior to versions 2.24.4 and 2.25.1, GeoServer\u0027s Server Status page and REST API lists all environment variables and Java properties to any GeoServer user with administrative rights as part of those modules\u0027 status message. These variables/properties can also contain sensitive information, such as database passwords or API keys/tokens. Additionally, many community-developed GeoServer container images `export` other credentials from their start-up scripts as environment variables to the GeoServer (`java`) process. The precise scope of the issue depends on which container image is used and how it is configured.\n\nThe `about status` API endpoint which powers the Server Status page is only available to administrators.Depending on the operating environment, administrators might have legitimate access to credentials in other ways, but this issue defeats more sophisticated controls (like break-glass access to secrets or role accounts).By default, GeoServer only allows same-origin authenticated API access. This limits the scope for a third-party attacker to use an administrator\u2019s credentials to gain access to credentials. The researchers who found the vulnerability were unable to determine any other conditions under which the GeoServer REST API may be available more broadly.\n\nUsers should update container images to use GeoServer 2.24.4 or 2.25.1 to get the bug fix. As a workaround, leave environment variables and Java system properties hidden by default. Those who provide the option to re-enable it should communicate the impact and risks so that users can make an informed choice."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-07-01T14:36:05.084Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/geoserver/geoserver/security/advisories/GHSA-j59v-vgcr-hxvf",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-j59v-vgcr-hxvf"
        }
      ],
      "source": {
        "advisory": "GHSA-j59v-vgcr-hxvf",
        "discovery": "UNKNOWN"
      },
      "title": " GeoServer\u0027s Server Status shows sensitive environmental variables and Java properties"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-34696",
    "datePublished": "2024-07-01T14:36:05.084Z",
    "dateReserved": "2024-05-07T13:53:00.131Z",
    "dateUpdated": "2024-08-02T02:59:21.661Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-34696\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-07-01T15:15:16.907\",\"lastModified\":\"2024-07-03T14:42:49.743\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"GeoServer is an open source server that allows users to share and edit geospatial data. Starting in version 2.10.0 and prior to versions 2.24.4 and 2.25.1, GeoServer\u0027s Server Status page and REST API lists all environment variables and Java properties to any GeoServer user with administrative rights as part of those modules\u0027 status message. These variables/properties can also contain sensitive information, such as database passwords or API keys/tokens. Additionally, many community-developed GeoServer container images `export` other credentials from their start-up scripts as environment variables to the GeoServer (`java`) process. The precise scope of the issue depends on which container image is used and how it is configured.\\n\\nThe `about status` API endpoint which powers the Server Status page is only available to administrators.Depending on the operating environment, administrators might have legitimate access to credentials in other ways, but this issue defeats more sophisticated controls (like break-glass access to secrets or role accounts).By default, GeoServer only allows same-origin authenticated API access. This limits the scope for a third-party attacker to use an administrator\u2019s credentials to gain access to credentials. The researchers who found the vulnerability were unable to determine any other conditions under which the GeoServer REST API may be available more broadly.\\n\\nUsers should update container images to use GeoServer 2.24.4 or 2.25.1 to get the bug fix. As a workaround, leave environment variables and Java system properties hidden by default. Those who provide the option to re-enable it should communicate the impact and risks so that users can make an informed choice.\"},{\"lang\":\"es\",\"value\":\"GeoServer es un servidor de c\u00f3digo abierto que permite a los usuarios compartir y editar datos geoespaciales. A partir de la versi\u00f3n 2.10.0 y antes de las versiones 2.24.4 y 2.25.1, la p\u00e1gina Estado del servidor de GeoServer y la API REST enumeran todas las variables de entorno y propiedades de Java para cualquier usuario de GeoServer con derechos administrativos como parte del mensaje de estado de esos m\u00f3dulos. Estas variables/propiedades tambi\u00e9n pueden contener informaci\u00f3n confidencial, como contrase\u00f1as de bases de datos o keys/tokens API. Adem\u00e1s, muchas im\u00e1genes de contenedores de GeoServer desarrolladas por la comunidad \\\"exportan\\\" otras credenciales desde sus scripts de inicio como variables de entorno al proceso de GeoServer (\\\"java\\\"). El alcance preciso del problema depende de qu\u00e9 imagen de contenedor se utiliza y c\u00f3mo est\u00e1 configurada. El endpoint API \\\"acerca del estado\\\" que impulsa la p\u00e1gina Estado del servidor solo est\u00e1 disponible para los administradores. Dependiendo del entorno operativo, los administradores pueden tener acceso leg\u00edtimo a las credenciales de otras maneras, pero este problema anula controles m\u00e1s sofisticados (como el acceso sin barreras a secretos o cuentas de rol). De forma predeterminada, GeoServer solo permite el acceso API autenticado del mismo origen. Esto limita las posibilidades de que un atacante externo utilice las credenciales de un administrador para obtener acceso a las credenciales. Los investigadores que encontraron la vulnerabilidad no pudieron determinar otras condiciones bajo las cuales la API REST de GeoServer pueda estar disponible de manera m\u00e1s amplia. Los usuarios deben actualizar las im\u00e1genes del contenedor para usar GeoServer 2.24.4 o 2.25.1 para corregir el error. Como workaround, deje las variables de entorno y las propiedades del sistema Java ocultas de forma predeterminada. Quienes brinden la opci\u00f3n de volver a habilitarlo deben comunicar el impacto y los riesgos para que los usuarios puedan tomar una decisi\u00f3n informada.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\",\"baseScore\":4.9,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":1.2,\"impactScore\":3.6},{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\",\"baseScore\":4.5,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":0.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]},{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-200\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.10.0\",\"versionEndExcluding\":\"2.24.4\",\"matchCriteriaId\":\"779270D7-89BA-47CA-A5E5-4539668BC18E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.25.0\",\"versionEndExcluding\":\"2.25.1\",\"matchCriteriaId\":\"F63F5E42-FB6D-4264-BF8A-17DEB863054C\"}]}]}],\"references\":[{\"url\":\"https://github.com/geoserver/geoserver/security/advisories/GHSA-j59v-vgcr-hxvf\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]}]}}"
  }
}

ghsa-j59v-vgcr-hxvf

Vulnerability from github

Published

2024-07-01 19:20

Modified

2024-07-01 19:20

Severity ?

4.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N

Summary

GeoServer's Server Status shows sensitive environmental variables and Java properties

Details

GeoServer's Server Status page and REST API (at /geoserver/rest/about/status) lists all environment variables and Java properties to any GeoServer user with administrative rights as part of those modules' status message.

These variables/properties can also contain sensitive information, such as database passwords or API keys/tokens, for example:

Data stores defined with parameterized catalog settings (-DALLOW_ENV_PARAMETRIZATION=true) which need a password or access key.
GeoServer's official Docker image uses environment variables to configure PostgreSQL JNDI resources, including credentials (POSTGRES_HOST, POSTGRES_USERNAME, POSTGRES_PASSWORD)

Additionally, many community-developed GeoServer container images export other credentials from their start-up scripts as environment variables to the GeoServer (java) process, such as:

GeoServer admin and master (root) passwords
Tomcat management application password
HTTPS/TLS certificate key store password
AWS S3 bucket access keys

The precise scope of the issue depends on which container image is used and how it is configured.

[!NOTE] Some container images allow passing secrets as files (eg: POSTGRES_PASSWORD_FILE), or randomly generating passwords on start-up. While this is promoted as best-practice[^secret-files], if its start-up script exports these as environment variables to GeoServer, they are also impacted by this issue.

Impact

The “about status” API endpoint (at /geoserver/rest/about/status) which powers the Server Status page is only available to administrators.

Depending on the operating environment, administrators might have legitimate access to credentials in other ways, but this issue defeats more sophisticated controls (like break-glass access to secrets or role accounts).

By default, GeoServer only allows same-origin authenticated API access. This limits the scope for a third-party attacker to use an administrator’s credentials to gain access to credentials (ie: requires XSS).

We were unable to determine any other conditions under which the GeoServer REST API may be available more broadly.

Fixes / remediation

GeoServer 2.24.4 and 2.25.1 hide all environment variables and Java system properties by default, with no further action required by GeoServer administrators.

There are new settings to allow an administrator to display these again – effectively reverting this security fix. We strongly recommend administrators leave these settings as-is, and use alternative mechanisms to access environment variables (instructions below).

If you're using GeoServer in a container runtime (such as Docker or Kubernetes) or from some other distributor's packages, you'll need to wait for the maintainer to update the version of GeoServer used in their image.

[!WARNING] If you run GeoServer with parameterized catalog settings (-DALLOW_ENV_PARAMETRIZATION=true), a GeoServer administrator could use this to access any environment variable or Java property by including it in some field which is rendered by the UI (such as the description field), even with this fix.

Advice for container / Docker image maintainers

Update container images to use GeoServer 2.24.4 or 2.25.1 to get the bug fix.

Please leave environment variables and Java system properties hidden by default. If you provide the option to re-enable it, communicate the impact and risks so that users can make an informed choice.

Container images should practice "defence in depth", to limit the impact when it is configured to show environment variables and/or properties:

Pass secrets to the container as either:
files which are only readable by the GeoServer process/UID, or,
references (identifiers) to a secret stored in a cloud provider's metadata or secret management service
Pass secrets to GeoServer by generating configuration files as part of your start-up scripts, rather than passing variables/properties or relying on parameterized catalog settings.
Ensure any configuration files with secrets are not readable by other users.
Clear all environment variables which contain secrets before starting GeoServer.

Alternatively: start up GeoServer with only the environment variables it needs, and no secrets.

Don't pass secrets as command-line flags – these are shown in ps to all users!

Alternatives for displaying GeoServer's environment variables

On Linux, you can get all environment variables set at start-up time for a running process with:

sh tr '\0' '\n' < /proc/${GEOSERVER_PID}/environ

On Windows, SysInternals' Process Explorer can show running processes' environment variables.
Current versions of macOS do not allow arbitrary access to other running processes' environment variables. Disabling these restrictions (on a macOS level) would significantly reduce the overall security of the system.

[^secret-files]: Docker Compose: How to use secrets in Docker Compose, Docker Swarm: Build support for Docker Secrets into your images

Show details on source website