Apache Tomcat Vulnerability CVE-2024-56337: A New Threat Enabling Remote Code Execution (RCE)

The Apache Software Foundation (ASF) has issued a critical security update addressing a significant vulnerability in its Tomcat server software that could lead to remote code execution (RCE) under specific conditions.

CVE-2024-56337: Incomplete Mitigation of CVE-2024-50379

The vulnerability, identified as CVE-2024-56337, stems from an incomplete fix for CVE-2024-50379, a critical security flaw with a CVSS score of 9.8 that was patched on December 17, 2024.

According to ASF, the issue primarily affects users operating Tomcat on case-insensitive file systems with the default servlet write enabled. If the readonly initialization parameter is set to false, additional configuration changes may be necessary depending on the version of Java being used with Tomcat.

Root Cause: TOCTOU Race Condition

Both vulnerabilities are Time-of-Check Time-of-Use (TOCTOU) race condition flaws. These can allow attackers to execute code on case-insensitive file systems when the default servlet has write permissions.

For CVE-2024-50379, Apache highlighted that:

“Concurrent read and upload operations on the same file under load can bypass Tomcat's case sensitivity checks, causing the uploaded file to be treated as a JSP, leading to remote code execution.”

Impacted Versions

CVE-2024-56337 affects the following Apache Tomcat versions:

• Tomcat 11.0.0-M1 to 11.0.1 (fixed in 11.0.2 or later)
• Tomcat 10.1.0-M1 to 10.1.33 (fixed in 10.1.34 or later)
• Tomcat 9.0.0.M1 to 9.0.97 (fixed in 9.0.98 or later)

Mitigation Steps

Users must implement specific configuration updates depending on the Java version:

• Java 8 or Java 11: Explicitly set the system property sun.io.useCanonCaches to false (default is true).
• Java 17: Ensure sun.io.useCanonCaches is set to false (it defaults to false).
• Java 21 and later: No action required, as the system property has been removed.Credits and Acknowledgments

The ASF credited security researchers Nacl, WHOAMI, Yemoli, and Ruozhi for identifying and reporting these vulnerabilities. It also acknowledged the KnownSec 404 Team for independently reporting CVE-2024-56337 along with proof-of-concept (PoC) code.

Related Security Concerns

This disclosure coincides with the Zero Day Initiative (ZDI) revealing a critical vulnerability in Webmin (CVE-2024-12828, CVSS score: 9.9). The flaw allows authenticated attackers to execute arbitrary code due to improper validation of user-supplied strings in CGI requests.

 

“The issue stems from the lack of proper validation before using user input to execute a system call. This enables attackers to execute code with root privileges,” ZDI explained.

Conclusion

Organizations relying on Apache Tomcat are strongly urged to update their systems immediately and apply the recommended configurations to minimize the risk of RCE attacks. Security teams must remain vigilant as attackers increasingly exploit unpatched vulnerabilities and misconfigurations.

Stay tuned for more cybersecurity updates and insights.