The Apache Software Foundation (ASF) has issued a critical security patch addressing a vulnerability in the Apache Tomcat server that could permit remote code execution (RCE) under specific conditions.
Identified as CVE-2024-56337, this vulnerability arises as an incomplete fix for CVE-2024-50379, a previously documented flaw with a CVSS score of 9.8. The earlier issue was mitigated on December 17, 2024, but additional steps are now required to fully safeguard affected systems.
“Users running Tomcat on case-insensitive file systems with the default servlet write enabled (readonly initialization parameter set to false
) might need to apply further configuration changes based on the Java version deployed alongside Tomcat,” ASF maintainers advised.
Nature of the Vulnerability
Both CVE-2024-50379 and CVE-2024-56337 exploit a Time-of-check Time-of-use (TOCTOU) race condition. These vulnerabilities could enable code execution on case-insensitive file systems when concurrent read and upload operations occur. If a file bypasses Tomcat’s case-sensitivity checks during high load, it may be erroneously treated as a JSP file, enabling an attacker to execute malicious code remotely.
Affected Versions of Apache Tomcat
The following Tomcat versions are vulnerable to CVE-2024-56337:
- Apache Tomcat 11.0.0-M1 to 11.0.1 (patched in 11.0.2 or newer)
- Apache Tomcat 10.1.0-M1 to 10.1.33 (patched in 10.1.34 or newer)
- Apache Tomcat 9.0.0-M1 to 9.0.97 (patched in 9.0.98 or newer)
Mitigation Steps Based on Java Versions
For users deploying Apache Tomcat, the following system property configurations are recommended based on the Java version:
- Java 8 or Java 11: Set the
sun.io.useCanonCaches
property tofalse
(default istrue
). - Java 17: Ensure
sun.io.useCanonCaches
is set tofalse
(default is alreadyfalse
). - Java 21 or newer: No additional actions are required, as the system property has been removed.
Credit and Discovery
The ASF acknowledged contributions from researchers Nacl, WHOAMI, Yemoli, and Ruozhi, who identified and reported these vulnerabilities. The KnownSec 404 Team was also credited for independently disclosing CVE-2024-56337, accompanied by proof-of-concept (PoC) exploit code.
Broader Implications in the Security Landscape
This disclosure comes amid heightened scrutiny of server vulnerabilities, with the Zero Day Initiative (ZDI) unveiling details of a critical bug in Webmin (CVE-2024-12828, CVSS score: 9.9). The Webmin flaw, stemming from improper validation of user input in CGI requests, could allow authenticated attackers to execute arbitrary code with root-level privileges.
“Exploitation arises from the inadequate validation of a user-supplied string, which is subsequently used in a system call,” ZDI stated. “This flaw could allow attackers to execute commands in a root context, escalating potential damages.”
Organizations leveraging Apache Tomcat must promptly update their systems to secure their infrastructure. With attackers actively exploiting vulnerabilities like these, addressing configuration gaps and maintaining rigorous patch management practices are vital to mitigating risks.