Security updates addressing CVE-2024-56337 fully mitigate CVE-2024-50379

Threat ID:CC-4596

Threat Severity:Medium

Published:24 December 2024 11:35 AM

Summary

Affected platforms

Summary

Security updates addressing CVE-2024-56337 fully mitigate CVE-2024-50379

Affected platforms

The following platforms are known to be affected:

Apache Tomcat

11.0.0-M1 to 11.0.1

10.1.0-M1 to 10.1.33

9.0.0.M1 to 9.0.97

Threat details

Proof-of-concept exploit for CVE-2024-50379

A public proof-of-concept exploit is available for CVE-2024-50379. Exploitation of CVE-2024-50379 and CVE-2024-56337 is considered more likely.

Introduction

The Apache Software Foundation has released two security bulletins addressing critical vulnerabilities in Apache Tomcat. Tomcat is an open-source implementation of the Jakarta EE platform that provides a 'pure Java' HTTP web server environment.

On 17 December 2024, Apache issued a security bulletin addressing CVE-2024-50379, which is a 'Time-of check Time-of-use (TOCTOU) Race Condition' vulnerability with a CVSSv3 score of 9.8. If exploited, an unauthenticated attacker could achieve remote code execution (RCE) if the default servlet is enabled for write operations (non-default configuration) on case-insensitive file systems.

On 20 December 2024, Apache issued a second security bulletin advising that mitigation of CVE-2024-50379 was incomplete and assigned CVE-2024-56337 to address the issue. Apache advise additional mitigation steps may be required to fully remediate CVE-2024-56337, depending on the Java version used with Tomcat.

Remediation advice

Affected organisations are strongly encouraged to review the Apache Security Bulletin for CVE-2024-56337 and apply the relevant updates and mitigations as soon as practicable.

Note: Depending on which Java version is used with Tomcat, additional mitigation steps may be required to fully remediate CVE-2024-56337. These are detailed below.

Remediation steps


Patch	Update Apache Tomcat to: version 11.0.2 or later version 10.1.34 or later version 9.0.98 or later https://lists.apache.org/thread/b2b9qrgjrz1kvo4ym8y2wkfdvwoq6qbp
Action	Java 8 or Java 11 The system property sun.io.useCanonCaches must be explicitly set to false (it defaults to true) Java 17 The system property sun.io.useCanonCaches, if set, must be set to false (it defaults to false) Java 21 and higher No further configuration is required (the system property and the problematic cache have been removed) https://lists.apache.org/thread/b2b9qrgjrz1kvo4ym8y2wkfdvwoq6qbp

Patch

Update Apache Tomcat to:

version 11.0.2 or later

version 10.1.34 or later

version 9.0.98 or later

https://lists.apache.org/thread/b2b9qrgjrz1kvo4ym8y2wkfdvwoq6qbp

Action

Java 8 or Java 11

The system property sun.io.useCanonCaches must be explicitly set to false (it defaults to true)

Java 17

The system property sun.io.useCanonCaches, if set, must be set to false (it defaults to false)

Java 21 and higher

No further configuration is required (the system property and the problematic cache have been removed)

https://lists.apache.org/thread/b2b9qrgjrz1kvo4ym8y2wkfdvwoq6qbp

Definitive source of threat updates

https://lists.apache.org/thread/b2b9qrgjrz1kvo4ym8y2wkfdvwoq6qbp

https://tomcat.apache.org/security-11.html

https://tomcat.apache.org/security-10.html

https://tomcat.apache.org/security-9.html

CVE Vulnerabilities

StatusPublished

CVE-2024-56337Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97. The mitigation for CVE-2024-50379 was incomplete. Users running Tomcat on a case insensitive file system with the default servlet write enabled (readonly initialisation parameter set to the non-default value of false) may need additional configuration to fully mitigate CVE-2024-50379 depending on which version of Java they are using with Tomcat: - running on Java 8 or Java 11: the system property sun.io.useCanonCaches must be explicitly set to false (it defaults to true) - running on Java 17: the system property sun.io.useCanonCaches, if set, must be set to false (it defaults to false) - running on Java 21 onwards: no further configuration is required (the system property and the problematic cache have been removed) Tomcat 11.0.3, 10.1.35 and 9.0.99 onwards will include checks that sun.io.useCanonCaches is set appropriately before allowing the default servlet to be write enabled on a case insensitive file system. Tomcat will also set sun.io.useCanonCaches to false by default where it can.

StatusPublished

CVE-2024-50379Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation in Apache Tomcat permits an RCE on case insensitive file systems when the default servlet is enabled for write (non-default configuration). This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97. Users are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.98, which fixes the issue.

Last edited: 24 December 2024 11:35 am