Apache Foundation fixed a severe Tomcat vulnerability

The Apache Software Foundation fixed a Tomcat server software flaw that could lead to remote code execution under certain conditions.

The Apache Software Foundation (ASF) addressed an important vulnerability, tracked as CVE-2024-56337, in its Tomcat server software. The researchers warn that exploiting this vulnerability could result in remote code execution under certain conditions.

Apache Tomcat is an open-source implementation of the Java Servlet, JavaServer Pages (JSP), Jakarta Expression Language, and WebSocket technologies. It is developed by the Apache Software Foundation and is widely used as a web server and servlet container for running Java-based web applications.

The flaw is a TOCTOU race condition issue in Apache Tomcat that affects versions 11.0.0-M1 through 11.0.1, 10.1.0-M1 through 10.1.33, and 9.0.0.M1 through 9.0.97. The vulnerability is due the incomplete mitigation for CVE-2024-50379 (CVSS score: 9.8).

“Users running Tomcat on a case insensitive file system with the default servlet write enabled (readonly initialisation parameter set to the non-default value of false) may need additional configuration to fully mitigate CVE-2024-50379 depending on which version of Java they are using with Tomcat.” reads the advisory.

The CVE-2024-50379 mitigation was incomplete, requiring configuration based on Java version:

  • Java 8/11: Set sun.io.useCanonCaches to false (default is true).
  • Java 17: Ensure sun.io.useCanonCaches is false (default is false).
  • Java 21+: No configuration needed (property removed).

From Tomcat 11.0.3, 10.1.35, and 9.0.99 onward, checks will enforce proper configuration of sun.io.useCanonCaches.

Security researchers Nacl, WHOAMI, Yemoli, and Ruozhi discovered both vulnerabilities. Dawu and Sunflower of the KnownSec 404 Team independently reported this vulnerability, providing a detailed proof-of-concept.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Apache Tomcat)

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to our Newsletter