CVE-2024-56337: Apache Tomcat Patches Critical RCE Vulnerability

CVE-2023-41081 -CVE-2024-56337

The Apache Software Foundation recently released a critical security update to address a remote code execution (RCE) vulnerability in Apache Tomcat, identified as CVE-2024-56337. This vulnerability affects a wide range of Tomcat versions, including 11.0.0-M1 to 11.0.1, 10.1.0-M1 to 10.1.33, and 9.0.0.M1 to 9.0.97.

This vulnerability stems from an incomplete mitigation for a previous vulnerability, CVE-2024-50379. Attackers could exploit this flaw on case-insensitive file systems where Tomcat’s default servlet has write functionality enabled. By manipulating specific paths, malicious actors could bypass security measures and upload files containing harmful JSP code, ultimately leading to remote code execution.

Users running affected versions of Apache Tomcat on case-insensitive file systems, particularly those with the default servlet’s write functionality enabled, are most vulnerable. This vulnerability poses a significant threat as it could allow attackers to gain complete control of the affected system.

CVE-2024-56337 was identified and reported by researchers Nacl, WHOAMI, Yemoli, and Ruozhi, with further contributions from the Knownsec 404 team, including dawu and Sunflower, who provided a detailed PoC.

The Apache Software Foundation urges users to update their Tomcat installations to the latest secure versions:

Depending on the Java version used with Tomcat, further configuration may be necessary to fully mitigate the risk:

  • Java 8 or Java 11: Explicitly set the system property sun.io.useCanonCaches to false.
  • Java 17: Ensure the system property sun.io.useCanonCaches, if set, is set to false.
  • Java 21 and later: No further action is required.

Related Posts: