Critical Apache Tomcat Flaw Fixed: Remote Code Execution Vulnerability Finally Patched

Critical Apache Tomcat Flaw Fixed: Remote Code Execution Vulnerability Finally Patched

Critical Security Update: Apache Tomcat Patches Remote Code Execution Vulnerability

Apache has released an urgent security patch addressing a significant vulnerability in the Tomcat web server that could enable remote code execution attacks. The flaw, identified as CVE-2024-56337, affects multiple versions of Apache Tomcat, a widely-used open-source web server and servlet container essential for Java-based web applications.

Affected Versions:
– Tomcat 11.0.0-M1 through 11.0.1
– Tomcat 10.1.0-M1 through 10.1.33
– Tomcat 9.0.0.M1 through 9.0.97

The vulnerability stems from a time-of-check time-of-use (TOCTOU) race condition, particularly affecting systems with default servlet write enabled and running on case-insensitive file systems. This issue is an extension of the previously identified CVE-2024-50379, for which an incomplete patch was released in December.

Recommended Updates:
Users should upgrade to:
– Version 11.0.2
– Version 10.1.34
– Version 9.0.98

Additional Configuration Requirements:
Java 8/11: Set ‘sun.io.useCanonCaches’ to ‘false’
Java 17: Ensure ‘sun.io.useCanonCaches’ is ‘false’
Java 21+: No additional configuration needed

Apache has announced plans for additional security enhancements in upcoming versions (11.0.3, 10.1.35, and 9.0.99), implementing automatic safety checks and improved default configurations to prevent exploitation of these vulnerabilities.

Share This Article