CVE-2022-24816

What is GeoServer / JAI-EXT?

GeoServer is an open-source Java server for sharing, processing, and editing geospatial data, implementing OGC standards (WMS, WFS, WCS, WPS). It is widely used by government agencies, utilities, mapping services, and spatial data infrastructure providers worldwide. JAI-EXT (Java Advanced Imaging Extensions) is a library providing raster image processing operations used by GeoServer. The Jiffle scripting language within JAI-EXT allows users to define custom raster transformation expressions — a powerful feature that became a code injection vector.

Overview

CVE-2022-24816 is a pre-authentication remote code execution vulnerability (CWE-94) in the JAI-EXT library's Jiffle scripting engine, affecting GeoServer and any application using jt-jiffle. When Jiffle scripts can be supplied via network request (as they can in GeoServer's WCS/WPS processing), an attacker can inject a malicious Jiffle script that compiles to arbitrary Java code executed on the server. CVSS 10.0. The vulnerability was patched in April 2022 but CISA did not add it to KEV until June 2024, coinciding with the related GeoServer RCE wave (CVE-2024-36401).

Affected Versions

Technical Details

Jiffle is a domain-specific language for raster image processing (similar to map algebra), designed to express pixel-by-pixel transformations. The Jiffle compiler translates Jiffle scripts into Java bytecode that is executed via the JVM.

The code injection vulnerability arises because the Jiffle compiler generates Java source code from the script and compiles it at runtime, but fails to sanitize the script content before compilation. An attacker can inject Java code into the Jiffle script that will be included verbatim in the generated Java class:

// Inject Java code into the compiled raster function
init { Runtime.getRuntime().exec("id"); }
result = x();

The compiled Java class executes in the JVM with the privileges of the GeoServer process.

In GeoServer, Jiffle scripts can be provided via:

• WCS (Web Coverage Service) GetCoverage requests with ras:Jiffle process
• WPS (Web Processing Service) requests invoking the Jiffle process
• Map styling using rendering transformations

All of these entry points are typically available without authentication on public GeoServer instances.

Discovery

Disclosed via GitHub Security Advisory for the JAI-EXT project. The vulnerability became more widely known in 2024 when active exploitation of GeoServer RCE vulnerabilities (including CVE-2024-36401, a related but distinct issue) prompted CISA to add this older CVE to the KEV catalog.

Exploitation Context

GeoServer instances hosting public mapping services are often internet-accessible without authentication for OGC protocol requests. Government GIS portals, utility mapping systems, and spatial data infrastructure deployments commonly use GeoServer.

The 2+ year delay between patch and KEV addition reflects a pattern where geospatial platform vulnerabilities receive less immediate attention than enterprise software, even when technically severe. The concurrent exploitation of GeoServer CVEs in 2024 prompted a catch-up review.

Remediation

1. Update JAI-EXT to 1.1.22 or later: This is the primary fix. GeoServer users should update their JAI-EXT dependency and redeploy.
2. Update GeoServer: Update to a GeoServer version that includes the patched JAI-EXT library. Check GeoServer release notes for the bundled JAI-EXT version.
3. Disable Jiffle processing if unused: If your GeoServer deployment does not use Jiffle-based rendering transformations or WPS processes, disable or restrict the Jiffle process in GeoServer's WPS configuration.
4. Restrict WPS/WCS access: Require authentication for WPS and WCS endpoints if they do not need to be publicly accessible.
5. Review for exploitation: Check GeoServer access logs for unusual WCS or WPS requests containing ras:Jiffle, Jiffle, or jiffle parameters.