Hack Reports - Latest Cybersecurity News, Trends & Updates

Apache fixes remote code execution bypass in Tomcat web server

Geetansh -

The latest news on the Apache Tomcat vulnerability fix involves a critical remote code execution (RCE) vulnerability, tracked as CVE-2024-56337, which has been addressed in a recent security update by the Apache Software Foundation134.

Key Highlights:

  1. Vulnerability Description:

    • The vulnerability, CVE-2024-56337, is a time-of-check time-of-use (TOCTOU) race condition that affects systems with the default servlet write enabled ('readonly' initialization parameter set to false) and running on case-insensitive file systems13.

  2. Affected Versions:

    • The issue affects Apache Tomcat versions 11.0.0-M1 through 11.0.1, 10.1.0-M1 through 10.1.33, and 9.0.0.M1 through 9.0.9713.

  3. Mitigation Steps:

    • Users are advised to upgrade to the latest Tomcat versions: 11.0.2, 10.1.34, and 9.0.9813.
    • Additional configuration may be necessary depending on the Java version used:
      • For Java 8 or 11, set the system property ‘sun.io.useCanonCaches’ to ‘false’ (default: true)1.
      • For Java 17, ensure ‘sun.io.useCanonCaches’ is configured as false (default: false)1.
      • For Java 21 and later, no configuration is needed as the problematic cache has been removed1.

  4. Security Update Context:

    • This vulnerability was identified as an incomplete mitigation for CVE-2024-50379, a critical RCE vulnerability13.
    • The Apache Software Foundation urges users to update their Tomcat installations to the latest secure versions to mitigate the risk of remote code execution3.

  5. Research and Reporting:

    • The vulnerability was identified and reported by researchers Nacl, WHOAMI, Yemoli, and Ruozhi, with further contributions from the Knownsec 404 team3.

Trustworthy Citations:

  • 1 BleepingComputer: "Apache fixes remote code execution bypass in Tomcat web server"
  • 3 SecurityOnline.info: "CVE-2024-56337: Apache Tomcat Patches Critical RCE Vulnerability"
  • 4 SecurityOnline.info: "Vulnerability Archives • Cybersecurity News - SecurityOnline.info"

Conclusion:

The Apache Software Foundation has released a critical security update to address the CVE-2024-56337 vulnerability in Apache Tomcat, which could lead to remote code execution. Users are advised to upgrade to the latest versions of Tomcat and perform additional configuration steps based on their Java version to fully mitigate the risk.