Apache Tomcat Flaw CVE-2024-56337 Allows RCE Attacks
Apache Software Foundation Releases Critical Security Update for Tomcat Server
The Apache Software Foundation (ASF) has issued a crucial security update to its Tomcat server software, addressing a significant vulnerability that could lead to remote code execution (RCE). This vulnerability, identified as CVE-2024-56337, serves as an incomplete mitigation for another serious flaw, CVE-2024-50379, which was previously reported on December 17, 2024. With a CVSS score of 9.8, these vulnerabilities highlight essential security risks for users of Apache Tomcat.
Understanding the Vulnerability in Apache Tomcat
The newly discovered CVE-2024-56337 affects users running Tomcat on case-insensitive file systems where the default servlet write is enabled. According to ASF’s advisory, users may need to make additional configurations based on the Java version they are using to fully mitigate these vulnerabilities. Both CVEs are classified as Time-of-check Time-of-use (TOCTOU) race condition vulnerabilities, posing a serious risk of code execution when the default servlet is set for write access.
Key Details of Vulnerability CVE-2024-56337
The following versions of Apache Tomcat are impacted by this vulnerability:
- Apache Tomcat 11.0.0-M1 to 11.0.1 (Fixed in 11.0.2 or later)
- Apache Tomcat 10.1.0-M1 to 10.1.33 (Fixed in 10.1.34 or later)
- Apache Tomcat 9.0.0.M1 to 9.0.97 (Fixed in 9.0.98 or later)
Recommended Configuration Changes
Users must implement specific configuration changes based on their Java version:
- Java 8 or Java 11: Set the system property
sun.io.useCanonCaches
to false (default is true). - Java 17: Ensure that the system property
sun.io.useCanonCaches
is set to false. - Java 21 and later: No action is required as this property has been removed.
Acknowledgments and Related Vulnerabilities
The ASF credited several security researchers, including Nacl, WHOAMI, Yemoli, and Ruozhi, for identifying and reporting these vulnerabilities. Additionally, the KnownSec 404 Team was acknowledged for independently reporting CVE-2024-56337 with a proof-of-concept (PoC) code.
This disclosure follows a separate announcement by the Zero Day Initiative (ZDI) regarding a critical bug in Webmin (CVE-2024-12828), which has a CVSS score of 9.9. This flaw allows authenticated remote attackers to execute arbitrary code due to inadequate validation of user-supplied input.
Conclusion and Next Steps
For users of Apache Tomcat, addressing these vulnerabilities promptly is crucial to maintaining system security. It’s important to ensure your software is updated to the latest versions and to configure your systems according to the recommended guidelines.
If you found this information valuable, please share your thoughts in the comments below. For more insights and updates on cybersecurity, follow us on Twitter and LinkedIn for exclusive content.
For further reading on Apache Tomcat vulnerabilities, check out Apache Tomcat Security and stay informed about the latest in cybersecurity news through the Zero Day Initiative.