CVE-2024-56337

Overview

Apache Tomcat is an open-source web server and servlet container developed by the Apache Software Foundation. It implements several Java Enterprise Edition (Java EE) specifications including Java Servlet, JavaServer Pages (JSP), and WebSocket, allowing it to run Java web applications. Tomcat is widely used in both development and production environments due to its lightweight nature, ease of configuration, and compatibility with various Java applications. 

‍

A Remote Code Execution (RCE) vulnerability (CVE-2024-56337) has been identified in Apache Tomcat. This vulnerability is a mitigation for the incomplete mitigation of CVE-2024-50379 and additional configuration might be needed to fully mitigate depending on what version is being used.

‍

The Open Web Application Security Project (OWASP) explains that RCE through code injection flaws are among the top-10 vulnerabilities. They are among the most potentially damaging of vulnerabilities because injected code:

• Can access internal application objects/methods
• Can often bypass security controls
• May persist across sessions
• Can often pivot to gain OS-level access

‍

This issue affects multiple versions of Apache Tomcat below 11.0.2.

‍

Details

Module Info

• Product: Apache Tomcat
• Affected packages: tomcat-embed-core, tomcat-catalina
• Affected versions: >=9.0.0.M1 <9.0.98, >=10.1.0-M1 <10.1.34, >=11.0.0-M1 <11.0.2
• GitHub repository: https://github.com/apache/tomcat

• Published packages:
  
  • https://central.sonatype.com/artifact/org.apache.tomcat.embed/tomcat-embed-core
  • https://central.sonatype.com/artifact/org.apache.tomcat/tomcat-catalina
  • https://central.sonatype.com/artifact/org.apache.tomcat/tomcat-embed-core

• Package manager: Maven
• Fixed in: 9.0.98, 10.1.34, and 11.0.2

‍

Vulnerability Info

An attacker can exploit a vulnerable Apache Tomcat server by concurrently reading and uploading the same file. At high load this can bypass Tomcat’s case sensitivity checks and cause the uploaded file to be treated as JSP, resulting in remote code execution.

‍

A Tomcat server is considered vulnerable if both of the following conditions are met:

1. The underlying file system is case-insensitive.
2. The server configuration has been modified from the default to allow write access via the default servlet.

‍

When these conditions are present, an attacker may bypass intended security controls and execute arbitrary code on the server.

‍

Mitigation

Only recent versions of Apache Tomcat are community-supported. The community support version will not receive any updates to address this issue. For more information, see here.

‍

Users of the affected components should apply one of the following mitigations:

• Upgrade to a patched version of Apache Tomcat
• Running on Java 8 or Java 11: the system property sun.io.useCanonCaches must be explicitly set to false (it defaults to true)
• Running on Java 17: the system property sun.io.useCanonCaches, if set, must be set to false (it defaults to false)
• Running on Java 21 onwards: no further configuration is required (the system property and the problematic cache have been removed)

Leverage a commercial support partner like HeroDevs for post-EOL security support.

‍

Credit

• This vulnerability was identified by Nacl, WHOAMI, Yemoli and Ruozhi
• This vulnerability was independently reported with a very helpful PoC by dawu@knownsec 404 team and Sunflower@knownsec 404 team.