The Apache Software Foundation (ASF) has released a security update to address a critical vulnerability in its Tomcat server software that could lead to remote code execution (RCE) under certain conditions.
Vulnerability, tracked as CVE-2024-56337was described as incomplete mitigation for CVE-2024-50379 (CVSS Score: 9.8), another critical security flaw in the same product that was previously addressed on December 17, 2024.
“Users running Tomcat on a case-insensitive file system with servlet writing enabled by default (read-only initialization parameter set to a non-default value of false) may require additional configuration to fully mitigate CVE-2024-50379, depending on the Java version , which they use. use with Tomcat,” project support said in an advisory last week.
Both Disadvantages: Validation Time, Usage Time (TACT) race condition vulnerabilities that could lead to case-insensitive code execution on file systems when the default servlet is writable.
“Concurrently reading and downloading the same file under load can bypass Tomcat’s case-sensitivity check and cause the downloaded file to be treated as a JSP, leading to remote code execution,” Apache noted in an alert for CVE-2024- 50379.
CVE-2024-56337 affects the following versions of Apache Tomcat −
- Apache Tomcat 11.0.0-M1 to 11.0.1 (fixed in 11.0.2 or later)
- Apache Tomcat 10.1.0-M1 to 10.1.33 (fixed in 10.1.34 or later)
- Apache Tomcat 9.0.0.M1 to 9.0.97 (fixed in 9.0.98 or later)
Additionally, users should perform the following configuration changes depending on the version of Java being run −
- Java 8 or Java 11 – Explicitly set the sun.io.useCanonCaches system property to false (default is true)
- Java 17 – set the sun.io.useCanonCaches system property to false if it is already set (default is false)
- Java 21 and later – No action is required as the system property has been removed
ASF acknowledges security researchers Nacl, WHOAMI, Yemoli, and Ruozhi for discovering and reporting both flaws. He also acknowledged the KnownSec 404 team for independently reporting CVE-2024-56337 with proof-of-concept (PoC) code.
The disclosure comes after the Zero Day Initiative (ZDI) shared information about a critical bug in Webmin (CVE-2024-12828, CVSS Score: 9.9) that allows authenticated remote attackers to execute arbitrary code.
“A specific flaw exists in the processing of CGI requests,” ZDI reported said. “The problem occurs because the user-supplied string was not properly validated before it was used to make a system call. An attacker could use this vulnerability to execute code in the context of root.”