Apache patches critical remote code executuion flaw in Tomcat Web Server
Take action: If you are running Apache Tomcat, plan for a patch. The exploit does require some specific conditions, but obviously those are not that hard to achieve - hence the critical severity rating. Don't ignore this issue - especially if your Tomcat app is exposed on the Internet.
Learn More
Apache has released security updates addressing two interconnected vulnerabilities in Tomcat.
- CVE-2024-56337 (CVSS score 9.8) is addressing an incomplete fix for CVE-2024-50379 (CVSS score 9.8) - the issue stems from a time-of-check time-of-use race condition affecting systems with default servlet write enabled on case-insensitive filesystems.
- Attackers could bypass case sensitivity checks during concurrent read and upload operations, potentially allowing uploaded files to be treated as JSP and enabling remote code execution.
The vulnerabilities affect Apache Tomcat versions 11.0.0-M1 through 11.0.1, 10.1.0-M1 through 10.1.33, and 9.0.0.M1 through 9.0.97.
Apache has released patched versions 11.0.2, 10.1.34, and 9.0.98 to address these issues. Additionally, users must implement specific configurations based on their Java version. For Java 8/11, 'sun.io.useCanonCaches' should be set to false. Java 17 users should verify this setting is false, while Java 21 and later versions require no configuration as the problematic cache has been removed.
The Apache team has announced plans for further security enhancements in upcoming versions 11.0.3, 10.1.35, and 9.0.99. These updates will automatically enforce safer configurations by checking 'sun.io.useCanonCaches' settings before enabling write access for the default servlet on case-insensitive filesystems.
