Apache Tomcat Vulnerabilities Exposed, Prompt Updates Required

CVE-2024-24549 & CVE-2024-23672

Security researchers have disclosed two vulnerabilities (CVE-2024-23672 and CVE-2024-24549) in popular Apache Tomcat web server software. Organizations relying on Tomcat must prioritize updates to mitigate denial of service (DoS) attacks exploiting these flaws.

CVE-2024-24549 & CVE-2024-23672

What’s Apache Tomcat?

Apache Tomcat is a free and open-source implementation of the Jakarta Servlet, Jakarta Expression Language, and WebSocket technologies. It provides a “pure Java” HTTP web server environment in which Java code can also run. Thus it is a Java web application server, although not a full JEE application server.

What Do the Vulnerabilities Do?

  • Resource Hogging (CVE-2024-23672): Attackers can exploit a flaw in how Tomcat handles WebSocket connections. This allows them to tie up your server’s resources indefinitely, potentially slowing down or even crashing your website or app.
  • HTTP/2 Header Trouble (CVE-2024-24549): Attackers can send oversized HTTP/2 headers with their requests. Tomcat can get bogged down trying to process these huge headers, again leading to resource exhaustion and potential downtime.

Who’s At Risk?

Anyone using the following Apache Tomcat versions is vulnerable:

  • Apache Tomcat 11.0.0-M1 to 11.0.0-M16
  • Apache Tomcat 10.1.0-M1 to 10.1.18
  • Apache Tomcat 9.0.0-M1 to 9.0.85
  • Apache Tomcat 8.5.0 to 8.5.98

Don’t Panic, PATCH!

The good news is there’s a fix. Update your Apache Tomcat installations immediately to the following versions or later:

Beyond Updates: Stay Vigilant

Remember, patching is essential but not a cure-all. Keep these security tips top of mind:

  • Regular Updates: Adopt a habit of applying security patches for all your software, not just Tomcat.
  • Monitoring: Watch your system’s resource usage to spot unusual spikes that could indicate an attack.
  • Defense in Depth: Combine firewalls, intrusion detection systems, and other security measures for layered protection.