Dataconomy
  • News
    • Artificial Intelligence
    • Cybersecurity
    • DeFi & Blockchain
    • Finance
    • Gaming
    • Startups
    • Tech
  • Industry
  • Research
  • Resources
    • Articles
    • Guides
    • Case Studies
    • Glossary
    • Whitepapers
  • Newsletter
  • + More
    • Conversations
    • Events
    • About
      • About
      • Contact
      • Imprint
      • Legal & Privacy
      • Partner With Us
Subscribe
No Result
View All Result
  • AI
  • Tech
  • Cybersecurity
  • Finance
  • DeFi & Blockchain
  • Startups
  • Gaming
Dataconomy
  • News
    • Artificial Intelligence
    • Cybersecurity
    • DeFi & Blockchain
    • Finance
    • Gaming
    • Startups
    • Tech
  • Industry
  • Research
  • Resources
    • Articles
    • Guides
    • Case Studies
    • Glossary
    • Whitepapers
  • Newsletter
  • + More
    • Conversations
    • Events
    • About
      • About
      • Contact
      • Imprint
      • Legal & Privacy
      • Partner With Us
Subscribe
No Result
View All Result
Dataconomy
No Result
View All Result

Critical Tomcat flaw could expose your servers to attack

Developers at ASF described CVE-2024-56337 as an incomplete mitigation for CVE-2024-50379, another critical flaw addressed in December 2024 with a CVSS score of 9.8

byKerem Gülen
December 24, 2024
in Cybersecurity, News

The Apache Software Foundation (ASF) has released a security update for its Tomcat server software, addressing a critical vulnerability identified as CVE-2024-56337. This flaw could enable remote code execution (RCE) under specific conditions. It affects versions of Apache Tomcat from 11.0.0-M1 to 11.0.1, 10.1.0-M1 to 10.1.33, and 9.0.0.M1 to 9.0.97. Users are urged to upgrade to versions 11.0.2, 10.1.34, and 9.0.98 to mitigate risks.

Apache Software Foundation addresses critical Tomcat flaw

Developers at ASF described CVE-2024-56337 as an incomplete mitigation for CVE-2024-50379, another critical flaw addressed in December 2024 with a CVSS score of 9.8. Both vulnerabilities stem from Time-of-check Time-of-use (TOCTOU) race condition issues that can lead to unauthorized code execution on case-insensitive file systems when the default servlet is enabled for write access. This occurs when uploaded files bypass Tomcat’s case sensitivity checks due to concurrent read and upload actions.

To fully mitigate these vulnerabilities, administrators must implement specific configuration changes depending on their Java version. For Java 8 or Java 11, it is required to set the system property sun.io.useCanonCaches to false, which defaults to true. Java 17 users should verify that this property, if set, is configured as false; it defaults to false. No action is needed for Java 21 and later, as the system property has been removed.

Stay Ahead of the Curve!

Don't miss out on the latest insights, trends, and analysis in the world of data, technology, and startups. Subscribe to our newsletter and get exclusive content delivered straight to your inbox.

The ASF credited security researchers Nacl, WHOAMI, Yemoli, and Ruozhi for reporting these vulnerabilities. They also acknowledged the KnownSec 404 Team for its independent report on CVE-2024-56337, which included proof-of-concept (PoC) code.


Fortinet urges immediate action: Critical RCE flaw exposes systems


Need for urgent action on Tomcat security

The disclosure of CVE-2024-56337 acts as a critical reminder for Tomcat users. Although the initial patch in December aimed to secure the system, subsequent analyses revealed that additional measures were necessary to ensure complete protection. As a result, the decision to issue a new CVE ID emphasizes the need for system administrators to take action beyond simply applying patches.

The vulnerabilities primarily affect enterprises and service providers using Tomcat as a backend for Java applications. Given Tomcat’s widespread use, the impact of these flaws could be significant. The advisory urges users to evaluate their configurations carefully, especially those relying on case-insensitive file systems with the default servlet enabled.

In response to ongoing security issues, the ASF is planning enhancements that will automatically check the configuration of the sun.io.useCanonCaches property before permitting write access for the default servlet in future releases of Tomcat. Expected updates are set for versions 11.0.3, 10.1.35, and 9.0.99. These improvements aim to reduce the risk of vulnerabilities similar to CVE-2024-50379 and CVE-2024-56337 in the future.

In parallel, the Zero Day Initiative (ZDI) has recently disclosed another critical vulnerability, CVE-2024-12828, affecting Webmin, with a CVSS score of 9.9. This flaw allows authenticated remote attackers to execute arbitrary code due to improper validation of user-supplied strings during CGI request handling, potentially compromising system integrity.

Security remains a paramount concern across software platforms.


Featured image credit: Kerem Gülen/Midjourney

Tags: ApacheCybersecurityFeatured

Related Posts

Reddit sues Perplexity over alleged large-scale data scraping

Reddit sues Perplexity over alleged large-scale data scraping

October 23, 2025
Google’s Live Threat Detection is reportedly coming to more Android phones

Google’s Live Threat Detection is reportedly coming to more Android phones

October 23, 2025
The ChatGPT Atlas browser is already facing its first security exploit

The ChatGPT Atlas browser is already facing its first security exploit

October 23, 2025
The Willow chip marks a new milestone in Google’s quantum race

The Willow chip marks a new milestone in Google’s quantum race

October 23, 2025
HBO Max finally lets you tell the algorithm what you actually think

HBO Max finally lets you tell the algorithm what you actually think

October 23, 2025
The Lomo MC-A is a film camera with USB-C charging capability

The Lomo MC-A is a film camera with USB-C charging capability

October 23, 2025

LATEST NEWS

Reddit sues Perplexity over alleged large-scale data scraping

Google’s Live Threat Detection is reportedly coming to more Android phones

The ChatGPT Atlas browser is already facing its first security exploit

The Willow chip marks a new milestone in Google’s quantum race

HBO Max finally lets you tell the algorithm what you actually think

The Lomo MC-A is a film camera with USB-C charging capability

Dataconomy

COPYRIGHT © DATACONOMY MEDIA GMBH, ALL RIGHTS RESERVED.

  • About
  • Imprint
  • Contact
  • Legal & Privacy

Follow Us

  • News
    • Artificial Intelligence
    • Cybersecurity
    • DeFi & Blockchain
    • Finance
    • Gaming
    • Startups
    • Tech
  • Industry
  • Research
  • Resources
    • Articles
    • Guides
    • Case Studies
    • Glossary
    • Whitepapers
  • Newsletter
  • + More
    • Conversations
    • Events
    • About
      • About
      • Contact
      • Imprint
      • Legal & Privacy
      • Partner With Us
No Result
View All Result
Subscribe

This website uses cookies. By continuing to use this website you are giving consent to cookies being used. Visit our Privacy Policy.