cbcvebase.
CVE-2022-24816
published 2022-04-13

CVE-2022-24816: JAI-EXT is an open-source project which aims to extend the Java Advanced Imaging (JAI) API. Programs allowing Jiffle script to be provided via network request…

PriorityP1100critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2024-07-17
Exploited in the wild
EPSS
98.74%
99.9th percentile
JAI-EXT is an open-source project which aims to extend the Java Advanced Imaging (JAI) API. Programs allowing Jiffle script to be provided via network request can lead to a Remote Code Execution as the Jiffle script is compiled into Java code via Janino, and executed. In particular, this affects the downstream GeoServer project. Version 1.2.22 will contain a patch that disables the ability to inject malicious code into the resulting script. Users unable to upgrade may negate the ability to compile Jiffle scripts from the final application, by removing janino-x.y.z.jar from the classpath.

Affected

2 ranges
VendorProductVersion rangeFixed in
geosolutions-itjai-ext< 1.1.221.1.22
geosolutionsgroupjai-ext< 1.1.221.1.22

Detection & IOCsextracted from sources · hover to see the quote

url/geoserver/wms
otherras:Jiffle
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Geoserver JT-Jiffle Extension Code Injection (CVE-2022-24816)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/geoserver/wms"; startswith; http.request_body; content:"|3c|ows|3a|Identifier|3e|ras|3a|Jiffle|3c 2f|ows|3a|Identifier|3e|"; fast_pattern; content:"java|2e|lang|2e|Runtime|2e|getRuntime|28 29|"; distance:0; reference:url,www.synacktiv.com/en/publications/exploiting-cve-2022-24816-a-code-injection-in-the-jt-jiffle-extension-of-geoserver; reference:cve,2022-24816; classtype:web-application-attack; sid:2056208; rev:1; metadata:affected_product Geoserver, attack_target Server, tls_state TLSDecrypt, created_at 2024_09_26, cve CVE_2022_24816, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2024_09_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
bytes
|3c|ows|3a|Identifier|3e|ras|3a|Jiffle|3c 2f|ows|3a|Identifier|3e|
bytes
java|2e|lang|2e|Runtime|2e|getRuntime|28 29|
  • Exploit arrives as an HTTP POST to /geoserver/wms containing an ows:Identifier element referencing 'ras:Jiffle' and injected Java code invoking java.lang.Runtime.getRuntime() in the request body.
  • Successful exploitation produces an ExceptionInInitializerError in the HTTP response body alongside /etc/passwd content (root:.*:0:0:), which can be used as a response-side detection signal.
  • The malicious Jiffle script payload uses a comment-injection technique to break out of the generated Java class and inject an arbitrary static initializer block that executes OS commands via Runtime.exec().
  • Presence of janino-x.y.z.jar on the classpath is a prerequisite for exploitation; its presence in a GeoServer deployment should be treated as an attack-surface indicator when JAI-EXT is below version 1.1.22.
  • ·The Snort/ET rule requires TLS decryption to be effective against HTTPS-protected GeoServer instances, as indicated by the TLSDecrypt deployment metadata.
  • ·The patched version is JAI-EXT 1.1.22 (not 1.2.22 as stated in the NVD advisory); defenders should verify the exact artifact version on disk.

CVSS provenance

nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
ghsa10.0CRITICAL
osv10.0CRITICAL
vulncheck10.0CRITICAL
cisa10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.