CVE-2024-56337: Apache Tomcat Patches Critical RCE Vulnerability
The Apache Software Foundation recently released a critical security update to address a remote code execution (RCE) vulnerability in Apache Tomcat, identified as CVE-2024-56337. This vulnerability affects a wide range of Tomcat versions, including 11.0.0-M1 to 11.0.1, 10.1.0-M1 to 10.1.33, and 9.0.0.M1 to 9.0.97.
This vulnerability stems from an incomplete mitigation for a previous vulnerability, CVE-2024-50379. Attackers could exploit this flaw on case-insensitive file systems where Tomcat’s default servlet has write functionality enabled. By manipulating specific paths, malicious actors could bypass security measures and upload files containing harmful JSP code, ultimately leading to remote code execution.
Users running affected versions of Apache Tomcat on case-insensitive file systems, particularly those with the default servlet’s write functionality enabled, are most vulnerable. This vulnerability poses a significant threat as it could allow attackers to gain complete control of the affected system.
CVE-2024-56337 was identified and reported by researchers Nacl, WHOAMI, Yemoli, and Ruozhi, with further contributions from the Knownsec 404 team, including dawu and Sunflower, who provided a detailed PoC.
The Apache Software Foundation urges users to update their Tomcat installations to the latest secure versions:
- Apache Tomcat 11.0.2 or later
- Apache Tomcat 10.1.34 or later
- Apache Tomcat 9.0.98 or later
Depending on the Java version used with Tomcat, further configuration may be necessary to fully mitigate the risk:
- Java 8 or Java 11: Explicitly set the system property sun.io.useCanonCaches to false.
- Java 17: Ensure the system property sun.io.useCanonCaches, if set, is set to false.
- Java 21 and later: No further action is required.
Related Posts:
- RCE and DoS Vulnerabilities Addressed in Apache Tomcat: CVE-2024-50379 and CVE-2024-54677
- CVE-2023-45648 & CVE-2023-42795: Two high severity flaws in Apache Tomcat
- Apache Tomcat Vulnerabilities Exposed, Prompt Updates Required