Affected product(s):
- Apache Tomcat 11.0.0-M1 to 11.0.1 (fixed in 11.0.2 or later)
- Apache Tomcat 10.1.0-M1 to 10.1.33 (fixed in 10.1.34 or later)
- Apache Tomcat 9.0.0.M1 to 9.0.97 (fixed in 9.0.98 or later)
Additionally, users must make the following configuration changes depending on the version of Java they are running:
- Java 8 or Java 11: Explicitly set the sun.io.useCanonCaches system property to False (default is True)
- Java 17: Set the sun.io.useCanonCaches system property to False, if it is already set (default is False)
- Java 21 and later: No action is required, as the system property has been removed
Description
A critical vulnerability has been disclosed in its Tomcat server software that could lead to remote code execution (RCE) under certain conditions. The vulnerability, tracked as CVE-2024-56337, has been described as an incomplete mitigation for CVE-2024-50379 with CVSS score: 9.8, another critical security flaw in the same product that was previously addressed on December 17, 2024.
Both flaws are Time-of-Check Time-of-Use (TOCTOU) race condition vulnerabilities that could result in code execution on case-insensitive file systems when the default servlet is write-enabled.
“Simultaneous reading and loading of the same file can bypass Tomcat’s case-sensitivity checks and cause an uploaded file to be treated as a JSP, leading to remote code execution,” Apache noted in an alert for CVE-2024-50379.
Solution
The Apache Software Foundation team has released security patches which are:
Tomcat 11.0.3, 10.1.35, and 9.0.99 onwards will include checks that sun.io.useCanonCaches is set correctly before allowing the default servlet to be enabled for writing to a case-insensitive filesystem. Tomcat will also set sun.io.useCanonCaches to false by default when possible.
Additional information:
- https://thehackernews.com/2024/12/apache-tomcat-vulnerability-cve-2024.html
- https://www.cve.org/CVERecord?id=CVE-2024-56337
- https://tomcat.apache.org/security-10.html
- https://lists.apache.org/thread/b2b9qrgjrz1kvo4ym8y2wkfdvwoq6qbp