Severity Level: Critical
Title:
Vulnerability in Apache Tomcat
Summary:
• CVE-2024-56337
• Vulnerability Type: Time-of-check Time-of-use (TOCTOU) Race Condition
• The vulnerability stems from an incomplete mitigation of a previous vulnerability (CVE-2024
50379). The flaw is exploitable on case-insensitive file systems where Tomcat’s default
servlet has write functionality enabled. By manipulating specific paths, attackers can bypass
security measures and upload malicious JSP files, leading to remote code execution.
• Exploitation of this vulnerability can allow attackers to execute arbitrary code on the affected
server, potentially granting them complete control over the system.
Affected Versions:
• Apache Tomcat 11.0.0-M1 to 11.0.1
• Apache Tomcat 10.1.0-M1 to 10.1.33
• Apache Tomcat 9.0.0.M1 to 9.0.97
Fixed Versions:
• Apache Tomcat 11.0.2 or later
• Apache Tomcat 10.1.34 or later
• Apache Tomcat 9.0.98 or later
Java Configuration Requirements
Depending on the Java version used with Apache Tomcat, additional configuration may be necessary:
• Java 8 or Java 11: Explicitly set the system property sun.io.useCanonCaches to false.
• Java 17: Ensure the system property sun.io.useCanonCaches, if set, is set to false.
• Java 21 and later: No further action is required.
Recommendations:
We recommend to upgrade the affected versions to the fixed versions at the earliest.
References:
click here