Apache Tomcat Vulnerability CVE-2024-56337 exposes servers to RCE assaults

Faheem

December 24, 2024Ravi LakshmananWeak spot / zero days

Apache Tomcat vulnerability

The Apache Software program Basis (ASF) has launched a safety replace to deal with a vital vulnerability in its Tomcat server software program that would result in distant code execution (RCE) beneath sure situations.

The vulnerability, tracked as CVE-2024-56337, is described as an incomplete mitigation for CVE-2024-50379 (CVSS rating: 9.8), one other vital safety flaw in the identical product. It was first seen on 17 December 2024.

“Customers operating Tomcat on a case-insensitive file system with the default servlet write (read-only initialization parameter set to a non-default worth of false) could require further configuration to completely mitigate CVE-2024-50379 relying on which model of Java they’re utilizing with Tomcat,” undertaking maintainers mentioned in an advisory final week.

Cybersecurity

Each flaws are time-of-check time-of-use (TOCTOU) race situation vulnerabilities that would lead to code execution on case-insensitive file techniques when the default servlet is write-enabled.

Apache famous in an alert for CVE-2024-50379 that “simultaneous studying and importing beneath the identical file load can bypass Tomcat’s case-sensitivity checking and trigger the uploaded file to be JSP may be interpreted as inflicting distant code execution.”

CVE-2024-56337 impacts the next variations of Apache Tomcat:

  • Apache Tomcat 11.0.0-M1 to 11.0.1 (default 11.0.2 or later)
  • Apache Tomcat 10.1.0-M1 to 10.1.33 (default 10.1.34 or later)
  • Apache Tomcat 9.0.0.M1 to 9.0.97 (defaults to 9.0.98 or later)

Moreover, customers must make the next configuration adjustments relying on the model of Java they’re operating.

  • Java 8 or Java 11 – explicitly set the system property solar.io.useCanonCaches to false (it defaults to true)
  • Java 17 – Set the system property solar.io.useCanonCaches to false, if already set (it ought to already be false).
  • Java 21 and later – No motion is required, because the system property is eliminated.
Cybersecurity

ASF credit safety researchers Nacl, WHOAMI, Emoli, and Rosi for figuring out and reporting each flaws. He additionally acknowledged the KnownSec 404 workforce for independently reporting CVE-2024-56337 with proof-of-concept (PoC) code.

The disclosure got here after the Zero-Day Initiative (ZDI) shared particulars of a vital bug in Webmin (CVE-2024-12828, CVSS Rating: 9.9) that would permit authenticated distant attackers to execute arbitrary code. is

“The precise flaw exists within the dealing with of CGI requests,” ZDI mentioned. “The problem is the results of a scarcity of correct validation of a user-supplied string earlier than it’s used to execute a system name. An attacker may exploit this vulnerability to execute code in root context. “

Did you discover this text fascinating? Observe us. Twitter And LinkedIn to learn extra unique content material we put up.

Leave a Comment