RCE and DoS Vulnerabilities Addressed in Apache Tomcat: CVE-2024-50379 and CVE-2024-54677

The Apache Software Foundation has released important security updates to address two vulnerabilities in Apache Tomcat, a widely-used open-source web server, and servlet container. One of the vulnerabilities could allow attackers to execute arbitrary code remotely, potentially compromising systems and sensitive data.

The more serious vulnerability, identified as CVE-2024-50379, has been assigned an “Important” severity rating. This flaw exists in the default servlet and can be exploited under specific conditions, primarily when the servlet is configured to allow write access and the underlying file system is case-insensitive. Attackers could exploit this vulnerability by uploading malicious files disguised as legitimate ones, ultimately leading to remote code execution (RCE).

The second vulnerability, tracked as CVE-2024-54677, is a denial-of-service (DoS) vulnerability affecting the “examples” web application included with Apache Tomcat. This vulnerability could allow attackers to trigger an OutOfMemoryError by uploading excessive amounts of data, potentially crashing the server and disrupting services. While this vulnerability has a “Low” severity rating, it’s still crucial to address it to ensure the stability and availability of Tomcat servers.

Affected Versions:

The vulnerabilities impact a wide range of Apache Tomcat versions, including:

• Apache Tomcat 11.0.0-M1 to 11.0.1
• Apache Tomcat 10.1.0-M1 to 10.1.33
• Apache Tomcat 9.0.0.M1 to 9.0.97

Mitigation:

The Apache Software Foundation urges all users to update their Tomcat installations to the latest versions immediately. The following versions contain fixes for both vulnerabilities:

• Apache Tomcat 11.0.2 or later
• Apache Tomcat 10.1.34 or later
• Apache Tomcat 9.0.98 or later

Administrators are advised to review the official security advisories from Apache and apply the necessary updates as soon as possible to mitigate the risk of exploitation. This is especially crucial for systems exposed to the internet or handling sensitive information.

Related Posts:

• Apache Tomcat Vulnerabilities Exposed, Prompt Updates Required
• Two high severity flaws in Apache Tomcat