CVE-2024-56337: Tomcat Protection Bypass Unveiled

The Apache Software Foundation (ASF) has released a security update to address a critical vulnerability in the Tomcat server that could allow for the execution of arbitrary code under certain conditions. The vulnerability, identified as CVE-2024-563337, is a partially patched version of a previously resolved issue, CVE-2024-50379 (CVSS: 9.8), which was fixed on December 17, 2024.

According to the official notification, users operating TOMCAT on file systems that are case-insensitive and have the readonly parameter set to FALSE by default must make additional configuration changes to fully mitigate the vulnerability, depending on the Java version.

Both vulnerabilities are related to the Time-Of-Check Time-Of-Use (TOCTOU) type of issue. They allow for code execution on case-insensitive file systems when the servant is enabled by default with the write function.

The issue occurs when reading and uploading a file under load, potentially bypassing case sensitivity checks and processing the uploaded file as JSP, thereby exposing a remote code execution risk.

The CVE-2024-56337 vulnerability impacts the following versions of Apache Tomcat:

  • Apache Tomcat 11.0.0-m1 to 11.0.1 (fixed in 11.0.2 and above);
  • Apache Tomcat 10.1.0-M1 to 10.1.33 (fixed in 10.1.34 and above);
  • Apache Tomcat 9.0.0.m1 to 9.0.97 (fixed in 9.0.98 and above).

To address the issue, changes to settings based on the Java version are also required:

  • For Java 8 and Java 11: set the system property Sun.io.USECANONCACHS to True (default setting).
  • For Java 17: ensure the property Sun.io.usecanoncache is disabled (already disabled by default).
  • For Java 21 and newer: no additional actions are necessary as the property has been removed.

ASF expressed gratitude to researchers NaCl, Whoami

/Reports, release notes, official announcements.