Cyber security news for all

More

    Apache Tomcat Vulnerability CVE-2024-56337 Enables RCE Exploits

    The Apache Software Foundation (ASF) has issued a critical security patch addressing a vulnerability in the Apache Tomcat server that could permit remote code execution (RCE) under specific conditions.

    Identified as CVE-2024-56337, this vulnerability arises as an incomplete fix for CVE-2024-50379, a previously documented flaw with a CVSS score of 9.8. The earlier issue was mitigated on December 17, 2024, but additional steps are now required to fully safeguard affected systems.

    “Users running Tomcat on case-insensitive file systems with the default servlet write enabled (readonly initialization parameter set to false) might need to apply further configuration changes based on the Java version deployed alongside Tomcat,” ASF maintainers advised.

    Nature of the Vulnerability

    Both CVE-2024-50379 and CVE-2024-56337 exploit a Time-of-check Time-of-use (TOCTOU) race condition. These vulnerabilities could enable code execution on case-insensitive file systems when concurrent read and upload operations occur. If a file bypasses Tomcat’s case-sensitivity checks during high load, it may be erroneously treated as a JSP file, enabling an attacker to execute malicious code remotely.

    Affected Versions of Apache Tomcat

    The following Tomcat versions are vulnerable to CVE-2024-56337:

    • Apache Tomcat 11.0.0-M1 to 11.0.1 (patched in 11.0.2 or newer)
    • Apache Tomcat 10.1.0-M1 to 10.1.33 (patched in 10.1.34 or newer)
    • Apache Tomcat 9.0.0-M1 to 9.0.97 (patched in 9.0.98 or newer)

    Mitigation Steps Based on Java Versions

    For users deploying Apache Tomcat, the following system property configurations are recommended based on the Java version:

    • Java 8 or Java 11: Set the sun.io.useCanonCaches property to false (default is true).
    • Java 17: Ensure sun.io.useCanonCaches is set to false (default is already false).
    • Java 21 or newer: No additional actions are required, as the system property has been removed.

    Credit and Discovery

    The ASF acknowledged contributions from researchers Nacl, WHOAMI, Yemoli, and Ruozhi, who identified and reported these vulnerabilities. The KnownSec 404 Team was also credited for independently disclosing CVE-2024-56337, accompanied by proof-of-concept (PoC) exploit code.

    Broader Implications in the Security Landscape

    This disclosure comes amid heightened scrutiny of server vulnerabilities, with the Zero Day Initiative (ZDI) unveiling details of a critical bug in Webmin (CVE-2024-12828, CVSS score: 9.9). The Webmin flaw, stemming from improper validation of user input in CGI requests, could allow authenticated attackers to execute arbitrary code with root-level privileges.

    “Exploitation arises from the inadequate validation of a user-supplied string, which is subsequently used in a system call,” ZDI stated. “This flaw could allow attackers to execute commands in a root context, escalating potential damages.”

    Organizations leveraging Apache Tomcat must promptly update their systems to secure their infrastructure. With attackers actively exploiting vulnerabilities like these, addressing configuration gaps and maintaining rigorous patch management practices are vital to mitigating risks.

    Recent Articles

    Related Stories