Apache Addresses Critical Vulnerability in Tomcat Web Server
December 23, 2024
Apache has launched a crucial security patch to address a severe vulnerability in its Tomcat web server. This vulnerability could enable an attacker to execute code remotely. Apache Tomcat is a widely used open-source web server and servlet container, primarily used to deploy and run Java-based web applications. It provides a runtime environment for Java Servlets, JavaServer Pages (JSP), and Java WebSocket technologies. The product is favored by large enterprises running custom web applications, SaaS providers relying on Java for backend services, and cloud and hosting services integrating Tomcat for app hosting. Software developers also use it to build, test, and deploy web apps.
The newly fixed vulnerability, referred to as CVE-2024-56337, is an additional mitigation for CVE-2024-50379, a critical remote code execution issue. Apache released an incomplete patch for this issue on December 17. The security problem is a time-of-check time-of-use (TOCTOU) race condition vulnerability impacting systems with the default servlet write enabled ('readonly' initialization parameter set to false) and operating on case-insensitive file systems. The issue affects Apache Tomcat 11.0.0-M1 through 11.0.1, 10.1.0-M1 through 10.1.33, and 9.0.0.M1 through 9.0.97. Users are advised to upgrade to the latest Tomcat versions: 11.0.2, 10.1.34, and 9.0.98.
To address this issue, users need to take additional steps. Depending on the Java version in use, users may need to perform certain actions, apart from upgrading. The Apache team has shared their plans for security enhancements in the upcoming versions of Tomcat, 11.0.3, 10.1.35, and 9.0.99. Specifically, Tomcat will verify that ‘sun.io.useCanonCaches’ is set correctly before enabling write access for the default servlet on case-insensitive file systems. It will also default ‘sun.io.useCanonCaches’ to false where possible. These changes are intended to automatically enforce safer configurations and reduce the risk of exploitation of CVE-2024-50379 and CVE-2024-56337.
Latest News
- Fortinet Fixes Critical RCE Vulnerability in Wireless LAN Manager
- Critical Vulnerability in FortiWLM Grants Hackers Administrative Control
- BeyondTrust Suffers Cyberattack: Remote Support SaaS Instances Breached
- Active Exploitation of Newly Patched Apache Struts Vulnerability
- The Mask APT Returns with Advanced Cross-Platform Malware Capabilities
Like what you see?
Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.