The Apache Software Foundation (ASF) has released a security update for its Tomcat server software, addressing a critical vulnerability identified as CVE-2024-56337. This flaw could enable remote code execution (RCE) under specific conditions. It affects versions of Apache Tomcat from 11.0.0-M1 to 11.0.1, 10.1.0-M1 to 10.1.33, and 9.0.0.M1 to 9.0.97. Users are urged to upgrade to versions 11.0.2, 10.1.34, and 9.0.98 to mitigate risks.
Apache Software Foundation addresses critical Tomcat flaw
Developers at ASF described CVE-2024-56337 as an incomplete mitigation for CVE-2024-50379, another critical flaw addressed in December 2024 with a CVSS score of 9.8. Both vulnerabilities stem from Time-of-check Time-of-use (TOCTOU) race condition issues that can lead to unauthorized code execution on case-insensitive file systems when the default servlet is enabled for write access. This occurs when uploaded files bypass Tomcat’s case sensitivity checks due to concurrent read and upload actions.
To fully mitigate these vulnerabilities, administrators must implement specific configuration changes depending on their Java version. For Java 8 or Java 11, it is required to set the system property sun.io.useCanonCaches to false, which defaults to true. Java 17 users should verify that this property, if set, is configured as false; it defaults to false. No action is needed for Java 21 and later, as the system property has been removed.
The ASF credited security researchers Nacl, WHOAMI, Yemoli, and Ruozhi for reporting these vulnerabilities. They also acknowledged the KnownSec 404 Team for its independent report on CVE-2024-56337, which included proof-of-concept (PoC) code.
Fortinet urges immediate action: Critical RCE flaw exposes systems
Need for urgent action on Tomcat security
The disclosure of CVE-2024-56337 acts as a critical reminder for Tomcat users. Although the initial patch in December aimed to secure the system, subsequent analyses revealed that additional measures were necessary to ensure complete protection. As a result, the decision to issue a new CVE ID emphasizes the need for system administrators to take action beyond simply applying patches.
The vulnerabilities primarily affect enterprises and service providers using Tomcat as a backend for Java applications. Given Tomcat’s widespread use, the impact of these flaws could be significant. The advisory urges users to evaluate their configurations carefully, especially those relying on case-insensitive file systems with the default servlet enabled.
In response to ongoing security issues, the ASF is planning enhancements that will automatically check the configuration of the sun.io.useCanonCaches property before permitting write access for the default servlet in future releases of Tomcat. Expected updates are set for versions 11.0.3, 10.1.35, and 9.0.99. These improvements aim to reduce the risk of vulnerabilities similar to CVE-2024-50379 and CVE-2024-56337 in the future.
In parallel, the Zero Day Initiative (ZDI) has recently disclosed another critical vulnerability, CVE-2024-12828, affecting Webmin, with a CVSS score of 9.9. This flaw allows authenticated remote attackers to execute arbitrary code due to improper validation of user-supplied strings during CGI request handling, potentially compromising system integrity.
Security remains a paramount concern across software platforms.
Featured image credit: Kerem Gülen/Midjourney