Summary: A critical security update has been released by the Apache Software Foundation to address a remote code execution vulnerability in Apache Tomcat, identified as CVE-2024-56337. This vulnerability affects multiple versions of Tomcat and poses a significant risk to users with specific configurations.
Threat Actor: Malicious Actors | malicious actors
Victim: Apache Tomcat Users | apache tomcat users
Key Point :
- Vulnerability CVE-2024-56337 allows remote code execution on affected Tomcat versions.
- Exploitation is possible on case-insensitive file systems with the default servlet’s write functionality enabled.
- Users are urged to update to the latest secure versions of Apache Tomcat to mitigate risks.
- Specific Java configurations may be required based on the version in use to fully secure installations.
- Researchers Nacl, WHOAMI, Yemoli, and Ruozhi reported the vulnerability, with contributions from the Knownsec 404 team.
The Apache Software Foundation recently released a critical security update to address a remote code execution (RCE) vulnerability in Apache Tomcat, identified as CVE-2024-56337. This vulnerability affects a wide range of Tomcat versions, including 11.0.0-M1 to 11.0.1, 10.1.0-M1 to 10.1.33, and 9.0.0.M1 to 9.0.97.
This vulnerability stems from an incomplete mitigation for a previous vulnerability, CVE-2024-50379. Attackers could exploit this flaw on case-insensitive file systems where Tomcat’s default servlet has write functionality enabled. By manipulating specific paths, malicious actors could bypass security measures and upload files containing harmful JSP code, ultimately leading to remote code execution.
Users running affected versions of Apache Tomcat on case-insensitive file systems, particularly those with the default servlet’s write functionality enabled, are most vulnerable. This vulnerability poses a significant threat as it could allow attackers to gain complete control of the affected system.
CVE-2024-56337 was identified and reported by researchers Nacl, WHOAMI, Yemoli, and Ruozhi, with further contributions from the Knownsec 404 team, including dawu and Sunflower, who provided a detailed PoC.
The Apache Software Foundation urges users to update their Tomcat installations to the latest secure versions:
Depending on the Java version used with Tomcat, further configuration may be necessary to fully mitigate the risk:
- Java 8 or Java 11: Explicitly set the system property sun.io.useCanonCaches to false.
- Java 17: Ensure the system property sun.io.useCanonCaches, if set, is set to false.
- Java 21 and later: No further action is required.
Related Posts:
Source: https://securityonline.info/cve-2024-56337-apache-tomcat-patches-critical-rce-vulnerability