Apache Tomcat Vulnerability Could Lead to Remote Code Execution
2024-12-23
Learn about the importance of proper configuration management and the risks of unpatched vulnerabilities in Apache Tomcat environments.
The Apache Software Foundation has released a security update for Tomcat server software to address a vulnerability that could lead to remote code execution (RCE) under specific conditions. This issue is related to a previous vulnerability and involves a Time-of-check Time-of-use (TOCTOU) race condition that can occur on case-insensitive file systems when the default servlet is enabled for writing. Users may need to adjust configurations based on their Java version to fully mitigate the risk.
Misconfiguration, Open Source, Patch Management
Apache Tomcat, CVE-2024-56337, Remote Code Execution, TOCTOU, Security Update
CVE-2024-56337; CVE-2024-50379
Apache Tomcat
The Apache Software Foundation has released a crucial security update for its Tomcat server software. This update addresses a significant vulnerability that could potentially allow remote code execution (RCE) under specific conditions. The vulnerability, identified as CVE-2024-56337, is related to an earlier issue, CVE-2024-50379, which had a high CVSS score of 9.8, indicating its critical nature. Both vulnerabilities involve a Time-of-check Time-of-use (TOCTOU) race condition. This type of vulnerability occurs when there is a gap between the checking of a condition and the use of the result, allowing for changes to occur that may lead to security issues. In the case of Tomcat, this flaw can occur on case-insensitive file systems when the default servlet is configured to allow writing. For the vulnerability to be exploited, users must be running Tomcat on a case-insensitive file system with the default servlet's "readonly" initialization parameter set to false, allowing write access. The risk is further influenced by the version of Java being used with Tomcat, which may require additional configuration changes for full mitigation. The vulnerability could be exploited through concurrent reading and uploading of the same file under load. This scenario can bypass Tomcat's case sensitivity checks, resulting in an uploaded file being incorrectly treated as a JavaServer Page (JSP). This misclassification can lead to remote code execution. The Apache Software Foundation credited several security researchers, including Nacl, WHOAMI, Yemoli, and Ruozhi, for identifying and reporting these vulnerabilities. Additionally, the KnownSec 404 Team was acknowledged for independently reporting CVE-2024-56337 and providing a proof-of-concept (PoC) code. To mitigate these vulnerabilities, users are advised to apply the latest security update provided by Apache and review their Tomcat configurations. Depending on the Java version in use, specific configuration changes may be necessary to ensure full protection against potential exploits.Apache Tomcat Vulnerability Update: Remote Code Execution Risk
Understanding the Vulnerability
Conditions for Exploitation
Attack Vector: Concurrent Read and Upload
Acknowledgments and Reporting
Recommended Actions
https://www.techradar.com/pro/security/ascension-ransomware-attack-affected-millions-of-customers