The Apache Software Foundation (ASF) has released a security update to address an important vulnerability in its Tomcat server software that could result in remote code execution (RCE) under certain conditions.
The vulnerability, tracked as CVE-2024-56337, has been described as an incomplete mitigation for CVE-2024-50379 (CVSS score: 9.8), another critical security flaw in the same product that was previously addressed on December 17, 2024.
“Users running Tomcat on a case insensitive file system with the default servlet write enabled (readonly initialisation parameter set to the non-default value of false) may need additional configuration to fully mitigate CVE-2024-50379 depending on which version of Java they are using with Tomcat,” the project maintainers said in an advisory last week.
Both the flaws are Time-of-check Time-of-use (TOCTOU) race condition vulnerabilities that could result in code execution on case-insensitive file systems when the default servlet is enabled for write.
“Concurrent read and upload under load of the same file can bypass Tomcat’s case sensitivity checks and cause an uploaded file to be treated as a JSP leading to remote code execution,” Apache noted in an alert for CVE-2024-50379.
CVE-2024-56337 impacts the below versions of Apache Tomcat –
- Apache Tomcat 11.0.0-M1 to 11.0.1 (Fixed in 11.0.2 or later)
- Apache Tomcat 10.1.0-M1 to 10.1.33 (Fixed in 10.1.34 or later)
- Apache Tomcat 9.0.0.M1 to 9.0.97 (Fixed in 9.0.98 or later)
Additionally, users are required to carry out the following configuration changes depending on the version of Java being run –
- Java 8 or Java 11 – Explicitly set system property sun.io.useCanonCaches to false (it defaults to true)
- Java 17 – Set system property sun.io.useCanonCaches to false, if already set (it defaults to false)
- Java 21 and later – No action is required, as the system property has been removed
The ASF credited security researchers Nacl, WHOAMI, Yemoli, and Ruozhi for identifying and reporting both shortcomings. It also acknowledged the KnownSec 404 Team for independently reporting CVE-2024-56337 with a proof-of-concept (PoC) code.
The disclosure comes as the Zero Day Initiative (ZDI) shared details of a critical bug in Webmin (CVE-2024-12828, CVSS score: 9.9) that allows authenticated remote attackers to execute arbitrary code.
“The specific flaw exists within the handling of CGI requests,” the ZDI said. “The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root.”
