By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

Thank you! Your submission has been received!

Oops! Something went wrong while submitting the form.

View all Vulnerabilities

CVE-2024-50379

Remote Code Execution

Affects

Apache Tomcat

Versions

>=9.0.0.M1 <9.0.98, >=10.1.0-M1 <10.1.34, >=11.0.0-M1 <11.0.2

Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

View NES Solution

Overview

Apache Tomcat is an open-source web server and servlet container developed by the Apache Software Foundation. It implements several Java Enterprise Edition (Java EE) specifications including Java Servlet, JavaServer Pages (JSP), and WebSocket, allowing it to run Java web applications. Tomcat is widely used in both development and production environments due to its lightweight nature, ease of configuration, and compatibility with various Java applications.

‍

A Remote Code Execution (RCE) vulnerability (CVE-2024-50379) has been identified in Apache Tomcat. This Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation in Apache Tomcat permits an RCE on case insensitive file systems when the default servlet is enabled for write (non-default configuration).

‍

The Open Web Application Security Project (OWASP) explains that RCE through code injection flaws are among the top-10 vulnerabilities. They are among the most potentially damaging of vulnerabilities because injected code:

Can access internal application objects/methods
Can often bypass security controls
May persist across sessions
Can often pivot to gain OS-level access

‍

This issue affects multiple versions of Apache Tomcat below 11.0.2.

‍

Details

Module Info

Product: Apache Tomcat
Affected packages: tomcat-embed-core, tomcat-catalina
Affected versions: >=9.0.0.M1 <9.0.98, >=10.1.0-M1 <10.1.34, >=11.0.0-M1 <11.0.2
GitHub repository: https://github.com/apache/tomcat

Published packages:
- https://central.sonatype.com/artifact/org.apache.tomcat.embed/tomcat-embed-core
- https://central.sonatype.com/artifact/org.apache.tomcat/tomcat-catalina

Package manager: Maven
Fixed in: 9.0.98, 10.1.34, and 11.0.2

‍

Vulnerability Info

An attacker can exploit a vulnerable Apache Tomcat server by concurrently reading and uploading the same file. At high load this can bypass Tomcat’s case sensitivity checks and cause the uploaded file to be treated as JSP, resulting in remote code execution.

‍

A Tomcat server is considered vulnerable if both of the following conditions are met:

The underlying file system is case-insensitive.
The server configuration has been modified from the default to allow write access via the default servlet.

‍

When these conditions are present, an attacker may bypass intended security controls and execute arbitrary code on the server.

‍

Mitigation

Only recent versions of Apache Tomcat are community-supported. The community support version will not receive any updates to address this issue. For more information, see here.

‍

Users of the affected components should apply one of the following mitigations: