Dataconomy
  • News
    • Artificial Intelligence
    • Cybersecurity
    • DeFi & Blockchain
    • Finance
    • Gaming
    • Startups
    • Tech
  • Industry
  • Research
  • Resources
    • Articles
    • Guides
    • Case Studies
    • Glossary
    • Whitepapers
  • Newsletter
  • + More
    • Conversations
    • Events
    • About
      • About
      • Contact
      • Imprint
      • Legal & Privacy
      • Partner With Us
Subscribe
No Result
View All Result
  • AI
  • Tech
  • Cybersecurity
  • Finance
  • DeFi & Blockchain
  • Startups
  • Gaming
Dataconomy
  • News
    • Artificial Intelligence
    • Cybersecurity
    • DeFi & Blockchain
    • Finance
    • Gaming
    • Startups
    • Tech
  • Industry
  • Research
  • Resources
    • Articles
    • Guides
    • Case Studies
    • Glossary
    • Whitepapers
  • Newsletter
  • + More
    • Conversations
    • Events
    • About
      • About
      • Contact
      • Imprint
      • Legal & Privacy
      • Partner With Us
Subscribe
No Result
View All Result
Dataconomy
No Result
View All Result

Critical Tomcat flaw could expose your servers to attack

Developers at ASF described CVE-2024-56337 as an incomplete mitigation for CVE-2024-50379, another critical flaw addressed in December 2024 with a CVSS score of 9.8

byKerem Gülen
December 24, 2024
in Cybersecurity, News

The Apache Software Foundation (ASF) has released a security update for its Tomcat server software, addressing a critical vulnerability identified as CVE-2024-56337. This flaw could enable remote code execution (RCE) under specific conditions. It affects versions of Apache Tomcat from 11.0.0-M1 to 11.0.1, 10.1.0-M1 to 10.1.33, and 9.0.0.M1 to 9.0.97. Users are urged to upgrade to versions 11.0.2, 10.1.34, and 9.0.98 to mitigate risks.

Apache Software Foundation addresses critical Tomcat flaw

Developers at ASF described CVE-2024-56337 as an incomplete mitigation for CVE-2024-50379, another critical flaw addressed in December 2024 with a CVSS score of 9.8. Both vulnerabilities stem from Time-of-check Time-of-use (TOCTOU) race condition issues that can lead to unauthorized code execution on case-insensitive file systems when the default servlet is enabled for write access. This occurs when uploaded files bypass Tomcat’s case sensitivity checks due to concurrent read and upload actions.

To fully mitigate these vulnerabilities, administrators must implement specific configuration changes depending on their Java version. For Java 8 or Java 11, it is required to set the system property sun.io.useCanonCaches to false, which defaults to true. Java 17 users should verify that this property, if set, is configured as false; it defaults to false. No action is needed for Java 21 and later, as the system property has been removed.

Stay Ahead of the Curve!

Don't miss out on the latest insights, trends, and analysis in the world of data, technology, and startups. Subscribe to our newsletter and get exclusive content delivered straight to your inbox.

The ASF credited security researchers Nacl, WHOAMI, Yemoli, and Ruozhi for reporting these vulnerabilities. They also acknowledged the KnownSec 404 Team for its independent report on CVE-2024-56337, which included proof-of-concept (PoC) code.


Fortinet urges immediate action: Critical RCE flaw exposes systems


Need for urgent action on Tomcat security

The disclosure of CVE-2024-56337 acts as a critical reminder for Tomcat users. Although the initial patch in December aimed to secure the system, subsequent analyses revealed that additional measures were necessary to ensure complete protection. As a result, the decision to issue a new CVE ID emphasizes the need for system administrators to take action beyond simply applying patches.

The vulnerabilities primarily affect enterprises and service providers using Tomcat as a backend for Java applications. Given Tomcat’s widespread use, the impact of these flaws could be significant. The advisory urges users to evaluate their configurations carefully, especially those relying on case-insensitive file systems with the default servlet enabled.

In response to ongoing security issues, the ASF is planning enhancements that will automatically check the configuration of the sun.io.useCanonCaches property before permitting write access for the default servlet in future releases of Tomcat. Expected updates are set for versions 11.0.3, 10.1.35, and 9.0.99. These improvements aim to reduce the risk of vulnerabilities similar to CVE-2024-50379 and CVE-2024-56337 in the future.

In parallel, the Zero Day Initiative (ZDI) has recently disclosed another critical vulnerability, CVE-2024-12828, affecting Webmin, with a CVSS score of 9.9. This flaw allows authenticated remote attackers to execute arbitrary code due to improper validation of user-supplied strings during CGI request handling, potentially compromising system integrity.

Security remains a paramount concern across software platforms.


Featured image credit: Kerem Gülen/Midjourney

Tags: ApacheCybersecurityFeatured

Related Posts

ChatGPT reportedly reduces reliance on Reddit as a data source

ChatGPT reportedly reduces reliance on Reddit as a data source

October 3, 2025
Perplexity makes Comet AI browser free, launches background assistant and Chess.com partnership

Perplexity makes Comet AI browser free, launches background assistant and Chess.com partnership

October 3, 2025
Light-powered chip makes AI computation 100 times more efficient

Light-powered chip makes AI computation 100 times more efficient

October 3, 2025
Free and effective anti-robocall tools are now available

Free and effective anti-robocall tools are now available

October 3, 2025
Z.AI GLM-4.6 boosts context window to 200K tokens

Z.AI GLM-4.6 boosts context window to 200K tokens

October 2, 2025
OpenAI releases Sora 2, iOS app with real-world inserts

OpenAI releases Sora 2, iOS app with real-world inserts

October 2, 2025

LATEST NEWS

ChatGPT reportedly reduces reliance on Reddit as a data source

Perplexity makes Comet AI browser free, launches background assistant and Chess.com partnership

Light-powered chip makes AI computation 100 times more efficient

Free and effective anti-robocall tools are now available

Z.AI GLM-4.6 boosts context window to 200K tokens

OpenAI releases Sora 2, iOS app with real-world inserts

Dataconomy

COPYRIGHT © DATACONOMY MEDIA GMBH, ALL RIGHTS RESERVED.

  • About
  • Imprint
  • Contact
  • Legal & Privacy

Follow Us

  • News
    • Artificial Intelligence
    • Cybersecurity
    • DeFi & Blockchain
    • Finance
    • Gaming
    • Startups
    • Tech
  • Industry
  • Research
  • Resources
    • Articles
    • Guides
    • Case Studies
    • Glossary
    • Whitepapers
  • Newsletter
  • + More
    • Conversations
    • Events
    • About
      • About
      • Contact
      • Imprint
      • Legal & Privacy
      • Partner With Us
No Result
View All Result
Subscribe

This website uses cookies. By continuing to use this website you are giving consent to cookies being used. Visit our Privacy Policy.