The Apache Software Foundation (ASF) has released a crucial security update addressing a significant vulnerability in its Tomcat server software, identified as CVE-2024-56337. This vulnerability can potentially lead to remote code execution (RCE) under certain conditions.
Key Details: CVE-2024-56337: Incomplete mitigation for CVE-2024-50379 (CVSS score: 9.8), a critical flaw addressed earlier on December 17, 2024.
Affected Versions:
• Apache Tomcat 11.0.0-M1 to 11.0.1 (fixed in 11.0.2 or later)
• Apache Tomcat 10.1.0-M1 to 10.1.33 (fixed in 10.1.34 or later)
• Apache Tomcat 9.0.0.M1 to 9.0.97 (fixed in 9.0.98 or later)
Technical Insight: Both CVE-2024-56337 and CVE-2024-50379 are Time-of-check Time-of-use (TOCTOU) race condition vulnerabilities. These flaws could lead to code execution on case-insensitive file systems when the default servlet write is enabled.
Advisory from Project Maintainers:
Users running Tomcat on a case-insensitive file system with the default servlet write enabled (readonly initialization parameter set to false) may need additional configurations depending on their Java version to fully mitigate CVE-2024-50379:
• Java 8 or Java 11: Set system property sun.io.useCanonCaches to false (default is true).
• Java 17: Set system property sun.io.useCanonCaches to false, if already set (default is false).
• Java 21 and later: No action required as the property has been removed.
Contributions and Acknowledgments: ASF credits security researchers Nacl, WHOAMI, Yemoli, and Ruozhi for identifying and reporting the vulnerabilities. The KnownSec 404 Team also independently reported CVE-2024-56337 with a proof-of-concept (PoC) code.
Related Vulnerability: The Zero Day Initiative (ZDI) recently shared details of a critical Webmin bug (CVE-2024-12828, CVSS score: 9.9) enabling authenticated remote attackers to execute arbitrary code due to improper validation of user-supplied strings in CGI requests.