CVE-2024-56337: Tomcat Users Face Continued RCE Risk
The Apache Software Foundation (ASF) has released a security update to address a critical vulnerability in the Tomcat server software, which, under specific conditions, could enable remote code execution (RCE). The vulnerability, identified as CVE-2024-56337, represents a partial fix for the previously disclosed CVE-2024-50379 (CVSS score: 9.8), which was patched on December 17, 2024.
According to the official advisory, users operating Tomcat on case-insensitive file systems with the default servlet write function enabled (i.e., readonly
set to false
) must apply additional configuration changes to fully mitigate the vulnerability, depending on their version of Java.
Both vulnerabilities are linked to a Time-of-check Time-of-use (TOCTOU) race condition. This flaw allows code execution on case-insensitive file systems when the default servlet’s write functionality is active.
The issue arises during concurrent reading and uploading of a single file under heavy load, potentially bypassing case-sensitivity checks and resulting in the uploaded file being processed as a JSP, thus opening a path for remote code execution.
Affected Versions of Apache Tomcat
The CVE-2024-56337 vulnerability affects the following versions of Apache Tomcat:
- Apache Tomcat 11.0.0-M1 to 11.0.1 (fixed in 11.0.2 and later),
- Apache Tomcat 10.1.0-M1 to 10.1.33 (fixed in 10.1.34 and later),
- Apache Tomcat 9.0.0.M1 to 9.0.97 (fixed in 9.0.98 and later).
Configuration Changes Required for Full Mitigation
To fully address the issue, users must adjust their configurations based on their Java version:
- For Java 8 and Java 11: Set the system property
sun.io.useCanonCaches
tofalse
(default istrue
). - For Java 17: Ensure the
sun.io.useCanonCaches
property is disabled (it is disabled by default). - For Java 21 and later: No action is required, as the property has already been removed.
Acknowledgments
The ASF expressed gratitude to researchers Nacl, WHOAMI, Yemoli, and Ruozhi for identifying and reporting these vulnerabilities. Special thanks were extended to the KnownSec 404 Team for their independent discovery of CVE-2024-56337 and the provision of a proof-of-concept (PoC) exploit.