Home Security Apache Tomcat Vulnerability CVE-2024-56337 Exposes Servers to RCE Attacks

Apache Tomcat Vulnerability CVE-2024-56337 Exposes Servers to RCE Attacks

by


Dec 24, 2024Ravie LakshmananVulnerability / Zero Day

The Apache Software Foundation (ASF) has released a security update to address an important vulnerability in its Tomcat server software that could result in remote code execution (RCE) under certain conditions.

The vulnerability, tracked as CVE-2024-56337, has been described as an incomplete mitigation for CVE-2024-50379 (CVSS score: 9.8), another critical security flaw in the same product that was previously addressed on December 17, 2024.

“Users running Tomcat on a case insensitive file system with the default servlet write enabled (readonly initialisation parameter set to the non-default value of false) may need additional configuration to fully mitigate CVE-2024-50379 depending on which version of Java they are using with Tomcat,” the project maintainers said in an advisory last week.

Cybersecurity

Both the flaws are Time-of-check Time-of-use (TOCTOU) race condition vulnerabilities that could result in code execution on case-insensitive file systems when the default servlet is enabled for write.

“Concurrent read and upload under load of the same file can bypass Tomcat’s case sensitivity checks and cause an uploaded file to be treated as a JSP leading to remote code execution,” Apache noted in an alert for CVE-2024-50379.

CVE-2024-56337 impacts the below versions of Apache Tomcat –

  • Apache Tomcat 11.0.0-M1 to 11.0.1 (Fixed in 11.0.2 or later)
  • Apache Tomcat 10.1.0-M1 to 10.1.33 (Fixed in 10.1.34 or later)
  • Apache Tomcat 9.0.0.M1 to 9.0.97 (Fixed in 9.0.98 or later)

Additionally, users are required to carry out the following configuration changes depending on the version of Java being run –

  • Java 8 or Java 11 – Explicitly set system property sun.io.useCanonCaches to false (it defaults to true)
  • Java 17 – Set system property sun.io.useCanonCaches to false, if already set (it defaults to false)
  • Java 21 and later – No action is required, as the system property has been removed
Cybersecurity

The ASF credited security researchers Nacl, WHOAMI, Yemoli, and Ruozhi for identifying and reporting both shortcomings. It also acknowledged the KnownSec 404 Team for independently reporting CVE-2024-56337 with a proof-of-concept (PoC) code.

The disclosure comes as the Zero Day Initiative (ZDI) shared details of a critical bug in Webmin (CVE-2024-12828, CVSS score: 9.9) that allows authenticated remote attackers to execute arbitrary code.

“The specific flaw exists within the handling of CGI requests,” the ZDI said. “The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.





Source link

Related Articles

xxxanti beeztube.mobi hot sexy mp4 menyoujan hentaitgp.net jason voorhees hentai indian soft core chupatube.net youjzz ez2 may 8 2023 pinoycinema.org ahensya ng pamahalaan pakistani chut ki chudai pimpmovs.com www xvedio dost ke papa zztube.mobi 300mbfilms.in صور مص الزب arabporna.net نهر العطش لمن تشعر بالحرمان movierulz plz.in bustyporntube.info how to make rangoli video 穂高ゆうき simozo.net 四十路五十路 ロシアav javvideos.net 君島みお 無修正 افلام سكس في المطبخ annarivas.net فيلم سكس قديم rashmi hot videos porncorn.info audiosexstories b grade latest nesaporn.pro high school girls sex videos real life cam eroebony.info painfull porn exbii adult pics teacherporntrends.com nepali school sex