459/67 Thursday, December 26, 2024
The Apache Software Foundation (ASF) has addressed a critical vulnerability in the Tomcat server software, identified as CVE-2024-56337. Researchers have warned that this flaw could be exploited to achieve Remote Code Execution (RCE) under certain conditions. Apache Tomcat is an open-source software platform supporting Java Servlet, JavaServer Pages (JSP), Jakarta Expression Language, and WebSocket. Developed by ASF, it is widely used for running Java-based web applications.
The vulnerability stems from a TOCTOU (Time of Check to Time of Use) race condition in Tomcat, affecting versions 11.0.0-M1 to 11.0.1, 10.1.0-M1 to 10.1.33, and 9.0.0.M1 to 9.0.97. Additionally, this flaw is linked to an incomplete fix for CVE-2024-50379, which had a CVSS score of 9.8. To mitigate CVE-2024-50379, the following configurations are required:
- Java 8/11: Set
sun.io.useCanonCachestofalse(default istrue). - Java 17: Ensure
sun.io.useCanonCachesis set tofalse(default isfalse). - Java 21+: No configuration required (the feature has been removed).
From Tomcat versions 11.0.3, 10.1.35, and 9.0.99 onward, the appropriate configuration for sun.io.useCanonCaches will be automatically enforced.
The vulnerability was discovered by security researchers including Nacl, WHOAMI, Yemoli, and Ruozhi. Additionally, Dawu and Sunflower from the KnownSec 404 team provided further reports and a detailed proof-of-concept for the exploit.
Users are strongly advised to update to the patched Tomcat versions to safeguard against potential attacks exploiting this vulnerability.
Source https://securityaffairs.com/172273/security/apache-foundation-fixed-tomcat-flaw.html
