Apache Tomcat Vulnerability CVE-2024-56337 Exposes Servers to RCE Assaults

Dec 24, 2024Ravie LakshmananVulnerability / Zero Day

The Apache Software program Basis (ASF) has launched a safety replace to deal with an necessary vulnerability in its Tomcat server software program that would end in distant code execution (RCE) underneath sure circumstances.

The vulnerability, tracked as CVE-2024-56337, has been described as an incomplete mitigation for CVE-2024-50379 (CVSS rating: 9.8), one other crucial safety flaw in the identical product that was beforehand addressed on December 17, 2024.

“Users running Tomcat on a case insensitive file system with the default servlet write enabled (readonly initialisation parameter set to the non-default value of false) may need additional configuration to fully mitigate CVE-2024-50379 depending on which version of Java they are using with Tomcat,” the venture maintainers stated in an advisory final week.

Cybersecurity

Each the issues are Time-of-check Time-of-use (TOCTOU) race situation vulnerabilities that would end in code execution on case-insensitive file techniques when the default servlet is enabled for write.

“Concurrent read and upload under load of the same file can bypass Tomcat’s case sensitivity checks and cause an uploaded file to be treated as a JSP leading to remote code execution,” Apache famous in an alert for CVE-2024-50379.

CVE-2024-56337 impacts the beneath variations of Apache Tomcat –

  • Apache Tomcat 11.0.0-M1 to 11.0.1 (Mounted in 11.0.2 or later)
  • Apache Tomcat 10.1.0-M1 to 10.1.33 (Mounted in 10.1.34 or later)
  • Apache Tomcat 9.0.0.M1 to 9.0.97 (Mounted in 9.0.98 or later)

Moreover, customers are required to hold out the next configuration modifications relying on the model of Java being run –

  • Java 8 or Java 11 – Explicitly set system property solar.io.useCanonCaches to false (it defaults to true)
  • Java 17 – Set system property solar.io.useCanonCaches to false, if already set (it defaults to false)
  • Java 21 and later – No motion is required, because the system property has been eliminated
Cybersecurity

The ASF credited safety researchers Nacl, WHOAMI, Yemoli, and Ruozhi for figuring out and reporting each shortcomings. It additionally acknowledged the KnownSec 404 Group for independently reporting CVE-2024-56337 with a proof-of-concept (PoC) code.

The disclosure comes because the Zero Day Initiative (ZDI) shared particulars of a crucial bug in Webmin (CVE-2024-12828, CVSS rating: 9.9) that enables authenticated distant attackers to execute arbitrary code.

“The specific flaw exists within the handling of CGI requests,” the ZDI stated. “The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root.”

Discovered this text fascinating? Comply with us on Twitter and LinkedIn to learn extra unique content material we submit.

Recent articles

Postman Workspaces Leak 30000 API Keys and Delicate Tokens

SUMMARY 30,000 Public Workspaces Uncovered: CloudSEK identifies large information leaks...

What’s CRM? A Complete Information for Companies

Buyer relationship administration software program is a gross sales...