Trio of Apache Tomcat Flaws Disclosed: Authentication Bypass, HTTP/2 Request Mix-Up, and XSS Flaw
The Apache Software Foundation has recently disclosed three new vulnerabilities affecting Apache Tomcat, a widely-used open-source web server and servlet container. These vulnerabilities, ranging from authentication bypass to potential cross-site scripting (XSS) attacks, could leave numerous web applications exposed to malicious actors.
The first vulnerability, identified as CVE-2024-52316, allows potential authentication bypass. The advisory describes the issue: “If Tomcat was configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not have failed, allowing the user to bypass the authentication process.” Thankfully, “There are no known Jakarta Authentication components that behave in this way,” offering some reassurance.
The second vulnerability, tracked as CVE-2024-52317, involves a request and response mix-up. This flaw, stemming from “incorrect recycling of the request and response used by HTTP/2 requests,” could lead to data leakage between different users. Imagine sensitive information from one user ending up in the response sent to another!
Finally, CVE-2024-52318 exposes a potential XSS vulnerability in generated JSPs (JavaServer Pages). This vulnerability arises from a previous fix (improvement 69333) that inadvertently caused “pooled JSP tags not to be released after use which in turn could cause output of some tags not to be escaped as expected.” This could allow attackers to inject malicious scripts into web pages, potentially compromising user data or hijacking sessions.
The good news is that the Apache Tomcat project has already released fixes for all three vulnerabilities. Users are strongly urged to upgrade to the latest versions of Apache Tomcat:
- CVE-2024-52316 & CVE-2024-52317: Upgrade to Apache Tomcat 11.0.0 or later, 10.1.31 or later, or 9.0.96 or later.
- CVE-2024-52318: Upgrade to Apache Tomcat 11.0.1 or later, 10.1.33 or later, or 9.0.97 or later.
