Overview
Apache Tomcat is an open-source web server and servlet container developed by the Apache Software Foundation. It implements several Java Enterprise Edition (Java EE) specifications including Java Servlet, JavaServer Pages (JSP), and WebSocket, allowing it to run Java web applications. Tomcat is widely used in both development and production environments due to its lightweight nature, ease of configuration, and compatibility with various Java applications.
A Denial of Service (DoS) vulnerability (CVE-2024-54677) has been identified in the examples web application provided with Apache Tomcat.
The Open Web Application Security Project (OWASP) explains that denial of service (DoS) attacks aim to make a service “unavailable for the purpose it was designed.” In this case the attacker can cause the server to run out of memory and become unable to function.
This issue affects multiple versions of Apache Tomcat.
Details
Module Info
- Product: Apache Tomcat
- Affected packages: tomcat-catalina
- Affected versions: >=9.0.0.M1 <9.0.98, >=10.1.0-M1 <10.1.34, >=11.0.0-M1 <11.0.2
- GitHub repository: https://github.com/apache/tomcat
- Published packages: https://central.sonatype.com/artifact/org.apache.tomcat/tomcat-catalina
- Package manager: Maven
- Fixed in: 9.0.98, 10.1.34, and 11.0.2
Vulnerability Info
Numerous examples in the examples web application did not place limits on uploaded data enabling an OutOfMemoryError to be triggered causing denial of service.
By default, the examples web application is only accessible to localhost.
Mitigation
Only recent versions of Apache Tomcat are community-supported. The community support version will not receive any updates to address this issue. For more information, see here.
Users of the affected components should apply one of the following mitigations:
- Upgrade to a patched version of Apache Tomcat
Leverage a commercial support partner like HeroDevs for post-EOL security support.
Credit
- Elysee Franchuk
- Tomcat security team
