The Apache Software Foundation has issued an important security update for its Tomcat server software to address a significant remote code execution (RCE) vulnerability, identified as CVE-2024-56337. This update follows a previous patch for CVE-2024-50379, which received a critical CVSS score of 9.8.
Key Vulnerability Details:
– Both vulnerabilities are Time-of-check Time-of-use (TOCTOU) race condition issues
– Affects systems with case-insensitive file systems and enabled default servlet write
– Can lead to code execution through concurrent file operations
Affected Versions:
– Apache Tomcat 11.0.0-M1 to 11.0.1 (Fix: Version 11.0.2+)
– Apache Tomcat 10.1.0-M1 to 10.1.33 (Fix: Version 10.1.34+)
– Apache Tomcat 9.0.0.M1 to 9.0.97 (Fix: Version 9.0.98+)
Required Configuration Changes:
Java 8/11: Set sun.io.useCanonCaches to false
Java 17: Verify sun.io.useCanonCaches is false
Java 21+: No action required
The vulnerabilities were discovered by security researchers Nacl, WHOAMI, Yemoli, and Ruozhi, with additional reporting from the KnownSec 404 Team. Users are strongly advised to update their Tomcat installations to the latest patched versions and implement the necessary configuration changes based on their Java version.