NextGenTech

Apache Tomcat Vulnerability CVE-2024-56337 Exposes Servers to Remote Code Execution Threats

Sarah's photo
Sarah
·

2 min read

Apache Tomcat Vulnerability CVE-2024-56337 Exposes Servers to Remote Code Execution Threats

The Apache Software Foundation (ASF) has issued a critical security update addressing a vulnerability in its Tomcat server software that could allow attackers to execute arbitrary code remotely, under specific conditions.

The vulnerability, identified as CVE-2024-56337, is linked to an incomplete fix for a prior security flaw (CVE-2024-50379), which had already been addressed in December 2024. Both vulnerabilities are caused by a Time-of-check Time-of-use (TOCTOU) race condition that allows an attacker to exploit Tomcat servers running on case-insensitive file systems.

Details of the Vulnerability:

  • The flaw arises when Tomcat's default servlet write functionality is enabled and the readonly initialization parameter is set to a non-default value of false. In this scenario, concurrent read and upload operations of the same file under heavy load can bypass case sensitivity checks, potentially allowing an uploaded file to be incorrectly treated as a JSP (Java Server Page), leading to remote code execution (RCE).

  • The vulnerability affects the following versions of Apache Tomcat:

    • Apache Tomcat 11.0.0-M1 to 11.0.1 (Fixed in version 11.0.2 or later)

    • Apache Tomcat 10.1.0-M1 to 10.1.33 (Fixed in version 10.1.34 or later)

    • Apache Tomcat 9.0.0.M1 to 9.0.97 (Fixed in version 9.0.98 or later)

Required Configuration Changes:

Users running affected versions need to apply specific configurations based on their version of Java:

  • Java 8 or Java 11: Set the system property sun.io.useCanonCaches to false (default is true).

  • Java 17: Ensure that the system property sun.io.useCanonCaches is set to false (if not already set).

  • Java 21 and later: No action is needed, as the sun.io.useCanonCaches system property has been removed.

Who Identified the Issue?

The vulnerabilities were reported by security researchers Nacl, WHOAMI, Yemoli, and Ruozhi, with the KnownSec 404 Team independently reporting CVE-2024-56337 along with proof-of-concept (PoC) code.

Additional Security Threats:

This vulnerability disclosure follows another significant threat identified by the Zero Day Initiative (ZDI), which recently disclosed a critical vulnerability in Webmin (CVE-2024-12828, CVSS score: 9.9). This flaw allows authenticated attackers to execute arbitrary code with root privileges by exploiting insufficient validation in the handling of CGI requests.

What You Should Do:

Tomcat users are advised to upgrade to the latest patched versions immediately. Additionally, ensure that the proper configuration changes are made based on the Java version being used. Monitoring for potential exploitation of these vulnerabilities is also crucial to maintain server security

CVE-2024-56337apache tomcatRemote Code Execution