Apache Addresses Critical Vulnerability in Tomcat Web Server

December 23, 2024

Apache has launched a crucial security patch to address a severe vulnerability in its Tomcat web server. This vulnerability could enable an attacker to execute code remotely. Apache Tomcat is a widely used open-source web server and servlet container, primarily used to deploy and run Java-based web applications. It provides a runtime environment for Java Servlets, JavaServer Pages (JSP), and Java WebSocket technologies. The product is favored by large enterprises running custom web applications, SaaS providers relying on Java for backend services, and cloud and hosting services integrating Tomcat for app hosting. Software developers also use it to build, test, and deploy web apps.

The newly fixed vulnerability, referred to as CVE-2024-56337, is an additional mitigation for CVE-2024-50379, a critical remote code execution issue. Apache released an incomplete patch for this issue on December 17. The security problem is a time-of-check time-of-use (TOCTOU) race condition vulnerability impacting systems with the default servlet write enabled ('readonly' initialization parameter set to false) and operating on case-insensitive file systems. The issue affects Apache Tomcat 11.0.0-M1 through 11.0.1, 10.1.0-M1 through 10.1.33, and 9.0.0.M1 through 9.0.97. Users are advised to upgrade to the latest Tomcat versions: 11.0.2, 10.1.34, and 9.0.98.

To address this issue, users need to take additional steps. Depending on the Java version in use, users may need to perform certain actions, apart from upgrading. The Apache team has shared their plans for security enhancements in the upcoming versions of Tomcat, 11.0.3, 10.1.35, and 9.0.99. Specifically, Tomcat will verify that ‘sun.io.useCanonCaches’ is set correctly before enabling write access for the default servlet on case-insensitive file systems. It will also default ‘sun.io.useCanonCaches’ to false where possible. These changes are intended to automatically enforce safer configurations and reduce the risk of exploitation of CVE-2024-50379 and CVE-2024-56337.

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.