Full Report
The Apache Software Foundation (ASF) has released a security update to address an important vulnerability in its Tomcat server software that could result in remote code execution (RCE) under certain conditions. The vulnerability, tracked as CVE-2024-56337, has been described as an incomplete mitigation for CVE-2024-50379 (CVSS score: 9.8), another critical security flaw in the same product that
Analysis Summary
# Vulnerability: Apache Tomcat RCE via Incomplete Mitigation for TOCTOU Flaw
## CVE Details
- CVE ID: CVE-2024-56337
- **CVSS Score**: N/A (The article states it is an incomplete mitigation for CVE-2024-50379, which has a score of 9.8 (Critical), suggesting this derived vulnerability (CVE-2024-56337) is also critical.)
- CWE: 367 (Time-of-check Time-of-use (TOCTOU))
## Affected Systems
- **Products**: Apache Tomcat
- **Versions**:
- Tomcat 11.0.0-M1 to 11.0.1
- Tomcat 10.1.0-M1 to 10.1.33
- Tomcat 9.0.0.M1 to 9.0.97
- **Configurations**:
- Running on a case-insensitive file system.
- Default servlet write enabled (i.e., `readonly` initialization parameter set to the non-default value of `false`).
- Specific configuration adjustments are required based on the Java version used.
## Vulnerability Description
CVE-2024-56337 is an incomplete mitigation for CVE-2024-50379, rooted in a Time-of-check Time-of-use (TOCTOU) race condition vulnerability. If concurrent read and upload operations occur on the same file while running on a case-insensitive file system with the default servlet enabled for write, an attacker can bypass Tomcat's case sensitivity checks. This bypass allows an uploaded file to be treated as a JSP file, leading to Remote Code Execution (RCE).
## Exploitation
- **Status**: Proof-of-Concept (PoC) available (Reported by KnownSec 404 Team).
- **Complexity**: Implied to be Medium/Low due to the race condition exploiting default configurations.
- **Attack Vector**: Network (Exploited likely via file upload mechanisms accessible over the network).
## Impact
- **Confidentiality**: Likely High (RCE allows access to system secrets).
- **Integrity**: High (Code execution allows modification or deletion of files/data).
- **Availability**: High (RCE can lead to server compromise or denial of service).
## Remediation
### Patches
- **Tomcat 11**: Fixed in version **11.0.2 or later**.
- **Tomcat 10.1**: Fixed in version **10.1.34 or later**.
- **Tomcat 9.0**: Fixed in version **9.0.98 or later**.
### Workarounds
Users must apply configuration changes depending on the running Java major version to fully mitigate the issue if they cannot patch immediately:
1. **Java 8 or Java 11**: Explicitly set the system property `sun.io.useCanonCaches` to `false` (it defaults to `true`).
2. **Java 17**: Set the system property `sun.io.useCanonCaches` to `false` if it is already set (it defaults to `false`).
3. **Java 21 and later**: No action required regarding this property, as it has been removed.
## Detection
- **Indicators of Compromise**: Look for successful execution of unexpected Java Server Pages (JSP) files originating from uploaded content, especially under heavy concurrent load on file upload endpoints.
- **Detection Methods and Tools**: Monitor web server access logs for unusually named or executed files in temporary or uploaded directories, particularly sequences matching exploit payloads for CVE-2024-50379/56337. Analyzing file system activity during upload bursts can reveal the TOCTOU race condition attempt.
## References
- Vendor Advisory (Reference implied via links in the original text): Look for advisories published by the Apache Software Foundation regarding CVE-2024-56337.
- CVE-2024-56337 Record: cve-dot-org/CVERecord?id=CVE-2024-56337
- Related CVE: cve-dot-org/CVERecord?id=CVE-2024-50379